/src/samba/source3/libads/kerberos.c
Line | Count | Source |
1 | | /* |
2 | | Unix SMB/CIFS implementation. |
3 | | kerberos utility library |
4 | | Copyright (C) Andrew Tridgell 2001 |
5 | | Copyright (C) Remus Koos 2001 |
6 | | Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004. |
7 | | Copyright (C) Jeremy Allison 2004. |
8 | | Copyright (C) Gerald Carter 2006. |
9 | | |
10 | | This program is free software; you can redistribute it and/or modify |
11 | | it under the terms of the GNU General Public License as published by |
12 | | the Free Software Foundation; either version 3 of the License, or |
13 | | (at your option) any later version. |
14 | | |
15 | | This program is distributed in the hope that it will be useful, |
16 | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
18 | | GNU General Public License for more details. |
19 | | |
20 | | You should have received a copy of the GNU General Public License |
21 | | along with this program. If not, see <http://www.gnu.org/licenses/>. |
22 | | */ |
23 | | |
24 | | #include "includes.h" |
25 | | #include "libsmb/namequery.h" |
26 | | #include "system/filesys.h" |
27 | | #include "smb_krb5.h" |
28 | | #include "../librpc/gen_ndr/ndr_misc.h" |
29 | | #include "../librpc/gen_ndr/samr.h" |
30 | | #include "libads/kerberos_proto.h" |
31 | | #include "libads/netlogon_ping.h" |
32 | | #include "secrets.h" |
33 | | #include "../lib/tsocket/tsocket.h" |
34 | | #include "../libcli/util/tstream.h" |
35 | | #include "../lib/util/tevent_ntstatus.h" |
36 | | #include "lib/util/asn1.h" |
37 | | #include "librpc/gen_ndr/netlogon.h" |
38 | | |
39 | | #ifdef HAVE_KRB5 |
40 | | |
41 | | /* |
42 | | we use a prompter to avoid a crash bug in the kerberos libs when |
43 | | dealing with empty passwords |
44 | | this prompter is just a string copy ... |
45 | | */ |
46 | | static krb5_error_code |
47 | | kerb_prompter(krb5_context ctx, void *data, |
48 | | const char *name, |
49 | | const char *banner, |
50 | | int num_prompts, |
51 | | krb5_prompt prompts[]) |
52 | 0 | { |
53 | 0 | if (num_prompts == 0) return 0; |
54 | 0 | if (num_prompts == 2) { |
55 | | /* |
56 | | * only heimdal has a prompt type and we need to deal with it here to |
57 | | * avoid loops. |
58 | | * |
59 | | * removing the prompter completely is not an option as at least these |
60 | | * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal |
61 | | * version have looping detection and return with a proper error code. |
62 | | */ |
63 | |
|
64 | 0 | #if defined(HAVE_KRB5_PROMPT_TYPE) /* Heimdal */ |
65 | 0 | if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD && |
66 | 0 | prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { |
67 | | /* |
68 | | * We don't want to change passwords here. We're |
69 | | * called from heimdal when the KDC returns |
70 | | * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't |
71 | | * have the chance to ask the user for a new |
72 | | * password. If we return 0 (i.e. success), we will be |
73 | | * spinning in the endless for-loop in |
74 | | * change_password() in |
75 | | * third_party/heimdal/lib/krb5/init_creds_pw.c |
76 | | */ |
77 | 0 | return KRB5KDC_ERR_KEY_EXPIRED; |
78 | 0 | } |
79 | | #elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */ |
80 | | krb5_prompt_type *prompt_types = NULL; |
81 | | |
82 | | prompt_types = krb5_get_prompt_types(ctx); |
83 | | if (prompt_types != NULL) { |
84 | | if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD && |
85 | | prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) { |
86 | | return KRB5KDC_ERR_KEY_EXP; |
87 | | } |
88 | | } |
89 | | #endif |
90 | 0 | } |
91 | | |
92 | 0 | memset(prompts[0].reply->data, '\0', prompts[0].reply->length); |
93 | 0 | if (prompts[0].reply->length > 0) { |
94 | 0 | if (data) { |
95 | 0 | strncpy((char *)prompts[0].reply->data, (const char *)data, |
96 | 0 | prompts[0].reply->length-1); |
97 | 0 | prompts[0].reply->length = strlen((const char *)prompts[0].reply->data); |
98 | 0 | } else { |
99 | 0 | prompts[0].reply->length = 0; |
100 | 0 | } |
101 | 0 | } |
102 | 0 | return 0; |
103 | 0 | } |
104 | | |
105 | | typedef krb5_error_code (*get_init_creds_fn_t)(krb5_context context, |
106 | | krb5_creds *creds, |
107 | | krb5_principal client, |
108 | | krb5_get_init_creds_opt *options, |
109 | | void *private_data); |
110 | | |
111 | | /* |
112 | | simulate a kinit, putting the tgt in the given cache location. |
113 | | cache_name == NULL is not allowed. |
114 | | */ |
115 | | static int kerberos_kinit_generic_once(const char *given_principal, |
116 | | get_init_creds_fn_t get_init_creds_fn, |
117 | | void *get_init_creds_private, |
118 | | int time_offset, |
119 | | time_t *expire_time, |
120 | | time_t *renew_till_time, |
121 | | const char *cache_name, |
122 | | bool request_pac, |
123 | | bool add_netbios_addr, |
124 | | time_t renewable_time, |
125 | | TALLOC_CTX *mem_ctx, |
126 | | char **_canon_principal, |
127 | | char **_canon_realm, |
128 | | NTSTATUS *ntstatus) |
129 | 0 | { |
130 | 0 | TALLOC_CTX *frame = talloc_stackframe(); |
131 | 0 | krb5_context ctx = NULL; |
132 | 0 | krb5_error_code code = 0; |
133 | 0 | krb5_ccache cc = NULL; |
134 | 0 | krb5_principal me = NULL; |
135 | 0 | krb5_principal canon_princ = NULL; |
136 | 0 | krb5_creds my_creds; |
137 | 0 | krb5_get_init_creds_opt *opt = NULL; |
138 | 0 | smb_krb5_addresses *addr = NULL; |
139 | 0 | char *canon_principal = NULL; |
140 | 0 | char *canon_realm = NULL; |
141 | |
|
142 | 0 | ZERO_STRUCT(my_creds); |
143 | |
|
144 | 0 | if (ntstatus) { |
145 | 0 | *ntstatus = NT_STATUS_INTERNAL_ERROR; |
146 | 0 | } |
147 | |
|
148 | 0 | if (cache_name == NULL) { |
149 | 0 | DBG_DEBUG("Missing ccache for [%s] and config [%s]\n", |
150 | 0 | given_principal, |
151 | 0 | getenv("KRB5_CONFIG")); |
152 | 0 | TALLOC_FREE(frame); |
153 | 0 | return EINVAL; |
154 | 0 | } |
155 | | |
156 | 0 | code = smb_krb5_init_context_common(&ctx); |
157 | 0 | if (code != 0) { |
158 | 0 | DBG_ERR("kerberos init context failed (%s)\n", |
159 | 0 | error_message(code)); |
160 | 0 | TALLOC_FREE(frame); |
161 | 0 | return code; |
162 | 0 | } |
163 | | |
164 | 0 | if (time_offset != 0) { |
165 | 0 | krb5_set_real_time(ctx, time(NULL) + time_offset, 0); |
166 | 0 | } |
167 | |
|
168 | 0 | DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n", |
169 | 0 | given_principal, |
170 | 0 | cache_name, |
171 | 0 | getenv("KRB5_CONFIG")); |
172 | |
|
173 | 0 | if ((code = krb5_cc_resolve(ctx, cache_name, &cc))) { |
174 | 0 | goto out; |
175 | 0 | } |
176 | | |
177 | 0 | if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) { |
178 | 0 | goto out; |
179 | 0 | } |
180 | | |
181 | 0 | if ((code = krb5_get_init_creds_opt_alloc(ctx, &opt))) { |
182 | 0 | goto out; |
183 | 0 | } |
184 | | |
185 | 0 | krb5_get_init_creds_opt_set_renew_life(opt, renewable_time); |
186 | 0 | krb5_get_init_creds_opt_set_forwardable(opt, True); |
187 | | |
188 | | /* Turn on canonicalization for lower case realm support */ |
189 | 0 | #ifdef SAMBA4_USES_HEIMDAL |
190 | 0 | krb5_get_init_creds_opt_set_win2k(ctx, opt, true); |
191 | 0 | krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true); |
192 | | #else /* MIT */ |
193 | | krb5_get_init_creds_opt_set_canonicalize(opt, true); |
194 | | #endif /* MIT */ |
195 | | #if 0 |
196 | | /* insane testing */ |
197 | | krb5_get_init_creds_opt_set_tkt_life(opt, 60); |
198 | | #endif |
199 | |
|
200 | 0 | #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST |
201 | 0 | if (request_pac) { |
202 | 0 | if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) { |
203 | 0 | goto out; |
204 | 0 | } |
205 | 0 | } |
206 | 0 | #endif |
207 | 0 | if (add_netbios_addr) { |
208 | 0 | if ((code = smb_krb5_gen_netbios_krb5_address(&addr, |
209 | 0 | lp_netbios_name()))) { |
210 | 0 | goto out; |
211 | 0 | } |
212 | 0 | krb5_get_init_creds_opt_set_address_list(opt, addr->addrs); |
213 | 0 | } |
214 | | |
215 | 0 | code = get_init_creds_fn(ctx, &my_creds, me, opt, get_init_creds_private); |
216 | 0 | if (code != 0) { |
217 | 0 | goto out; |
218 | 0 | } |
219 | | |
220 | 0 | canon_princ = my_creds.client; |
221 | |
|
222 | 0 | code = smb_krb5_unparse_name(frame, |
223 | 0 | ctx, |
224 | 0 | canon_princ, |
225 | 0 | &canon_principal); |
226 | 0 | if (code != 0) { |
227 | 0 | goto out; |
228 | 0 | } |
229 | | |
230 | 0 | DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal); |
231 | |
|
232 | 0 | canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ); |
233 | 0 | if (canon_realm == NULL) { |
234 | 0 | code = ENOMEM; |
235 | 0 | goto out; |
236 | 0 | } |
237 | | |
238 | 0 | if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { |
239 | 0 | goto out; |
240 | 0 | } |
241 | | |
242 | 0 | if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { |
243 | 0 | goto out; |
244 | 0 | } |
245 | | |
246 | 0 | if (expire_time) { |
247 | 0 | *expire_time = (time_t) my_creds.times.endtime; |
248 | 0 | } |
249 | |
|
250 | 0 | if (renew_till_time) { |
251 | 0 | *renew_till_time = (time_t) my_creds.times.renew_till; |
252 | 0 | } |
253 | |
|
254 | 0 | if (_canon_principal != NULL) { |
255 | 0 | *_canon_principal = talloc_move(mem_ctx, &canon_principal); |
256 | 0 | } |
257 | 0 | if (_canon_realm != NULL) { |
258 | 0 | *_canon_realm = talloc_move(mem_ctx, &canon_realm); |
259 | 0 | } |
260 | 0 | out: |
261 | 0 | if (ntstatus) { |
262 | | /* fast path */ |
263 | 0 | if (code == 0) { |
264 | 0 | *ntstatus = NT_STATUS_OK; |
265 | 0 | goto cleanup; |
266 | 0 | } |
267 | | |
268 | | /* fall back to self-made-mapping */ |
269 | 0 | *ntstatus = krb5_to_nt_status(code); |
270 | 0 | } |
271 | | |
272 | 0 | cleanup: |
273 | 0 | krb5_free_cred_contents(ctx, &my_creds); |
274 | 0 | if (me) { |
275 | 0 | krb5_free_principal(ctx, me); |
276 | 0 | } |
277 | 0 | if (addr) { |
278 | 0 | smb_krb5_free_addresses(ctx, addr); |
279 | 0 | } |
280 | 0 | if (opt) { |
281 | 0 | krb5_get_init_creds_opt_free(ctx, opt); |
282 | 0 | } |
283 | 0 | if (cc) { |
284 | 0 | krb5_cc_close(ctx, cc); |
285 | 0 | } |
286 | 0 | if (ctx) { |
287 | 0 | krb5_free_context(ctx); |
288 | 0 | } |
289 | 0 | TALLOC_FREE(frame); |
290 | 0 | return code; |
291 | 0 | } |
292 | | |
293 | | struct kerberos_kinit_password_ext_private { |
294 | | const char *password; |
295 | | }; |
296 | | |
297 | | static krb5_error_code kerberos_kinit_password_ext_cb(krb5_context context, |
298 | | krb5_creds *creds, |
299 | | krb5_principal client, |
300 | | krb5_get_init_creds_opt *options, |
301 | | void *private_data) |
302 | 0 | { |
303 | 0 | struct kerberos_kinit_password_ext_private *ep = |
304 | 0 | (struct kerberos_kinit_password_ext_private *)private_data; |
305 | 0 | krb5_deltat start_time = 0; |
306 | 0 | const char *in_tkt_service = NULL; |
307 | |
|
308 | 0 | return krb5_get_init_creds_password(context, creds, client, |
309 | 0 | discard_const_p(char, ep->password), |
310 | 0 | kerb_prompter, |
311 | 0 | discard_const_p(char, ep->password), |
312 | 0 | start_time, |
313 | 0 | in_tkt_service, |
314 | 0 | options); |
315 | 0 | } |
316 | | |
317 | | /* |
318 | | simulate a kinit, putting the tgt in the given cache location. |
319 | | cache_name == NULL is not allowed. |
320 | | */ |
321 | | int kerberos_kinit_password_ext(const char *given_principal, |
322 | | const char *password, |
323 | | int time_offset, |
324 | | time_t *expire_time, |
325 | | time_t *renew_till_time, |
326 | | const char *cache_name, |
327 | | bool request_pac, |
328 | | bool add_netbios_addr, |
329 | | time_t renewable_time, |
330 | | TALLOC_CTX *mem_ctx, |
331 | | char **_canon_principal, |
332 | | char **_canon_realm, |
333 | | NTSTATUS *ntstatus) |
334 | 0 | { |
335 | 0 | struct kerberos_kinit_password_ext_private ep = { |
336 | 0 | .password = password, |
337 | 0 | }; |
338 | |
|
339 | 0 | return kerberos_kinit_generic_once(given_principal, |
340 | 0 | kerberos_kinit_password_ext_cb, |
341 | 0 | &ep, |
342 | 0 | time_offset, |
343 | 0 | expire_time, |
344 | 0 | renew_till_time, |
345 | 0 | cache_name, |
346 | 0 | request_pac, |
347 | 0 | add_netbios_addr, |
348 | 0 | renewable_time, |
349 | 0 | mem_ctx, |
350 | 0 | _canon_principal, |
351 | 0 | _canon_realm, |
352 | 0 | ntstatus); |
353 | 0 | } |
354 | | |
355 | | struct kerberos_transaction_cache { |
356 | | struct tsocket_address *local_addr; |
357 | | struct tsocket_address *kdc_addr; |
358 | | uint32_t timeout_msec; |
359 | | }; |
360 | | |
361 | | static NTSTATUS kerberos_transaction_cache_create( |
362 | | const char *explicit_kdc, |
363 | | uint32_t timeout_msec, |
364 | | TALLOC_CTX *mem_ctx, |
365 | | struct kerberos_transaction_cache **_kc) |
366 | 0 | { |
367 | 0 | struct kerberos_transaction_cache *kc = NULL; |
368 | 0 | int ret; |
369 | |
|
370 | 0 | kc = talloc_zero(mem_ctx, struct kerberos_transaction_cache); |
371 | 0 | if (kc == NULL) { |
372 | 0 | return NT_STATUS_NO_MEMORY; |
373 | 0 | } |
374 | 0 | kc->timeout_msec = timeout_msec; |
375 | | |
376 | | /* parse the address of explicit kdc */ |
377 | 0 | ret = tsocket_address_inet_from_strings(kc, |
378 | 0 | "ip", |
379 | 0 | explicit_kdc, |
380 | 0 | DEFAULT_KRB5_PORT, |
381 | 0 | &kc->kdc_addr); |
382 | 0 | if (ret != 0) { |
383 | 0 | NTSTATUS status = map_nt_error_from_unix_common(errno); |
384 | 0 | TALLOC_FREE(kc); |
385 | 0 | return status; |
386 | 0 | } |
387 | | |
388 | | /* get an address for us to use locally */ |
389 | 0 | ret = tsocket_address_inet_from_strings(kc, |
390 | 0 | "ip", |
391 | 0 | NULL, |
392 | 0 | 0, |
393 | 0 | &kc->local_addr); |
394 | 0 | if (ret != 0) { |
395 | 0 | NTSTATUS status = map_nt_error_from_unix_common(errno); |
396 | 0 | TALLOC_FREE(kc); |
397 | 0 | return status; |
398 | 0 | } |
399 | | |
400 | 0 | *_kc = kc; |
401 | 0 | return NT_STATUS_OK; |
402 | 0 | } |
403 | | |
404 | | #ifdef HAVE_KRB5_INIT_CREDS_STEP |
405 | | |
406 | | struct kerberos_transaction_state { |
407 | | struct tevent_context *ev; |
408 | | struct kerberos_transaction_cache *kc; |
409 | | struct tstream_context *stream; |
410 | | uint8_t in_hdr[4]; |
411 | | struct iovec in_iov[2]; |
412 | | DATA_BLOB rep_blob; |
413 | | }; |
414 | | |
415 | | static void kerberos_transaction_connect_done(struct tevent_req *subreq); |
416 | | |
417 | | static struct tevent_req *kerberos_transaction_send( |
418 | | TALLOC_CTX *mem_ctx, |
419 | | struct tevent_context *ev, |
420 | | struct kerberos_transaction_cache *kc, |
421 | | const char *realm, |
422 | | const DATA_BLOB req_blob) |
423 | 0 | { |
424 | 0 | struct tevent_req *req = NULL; |
425 | 0 | struct kerberos_transaction_state *state = NULL; |
426 | 0 | struct tevent_req *subreq = NULL; |
427 | 0 | struct timeval end; |
428 | |
|
429 | 0 | req = tevent_req_create(mem_ctx, &state, |
430 | 0 | struct kerberos_transaction_state); |
431 | 0 | if (req == NULL) { |
432 | 0 | return NULL; |
433 | 0 | } |
434 | 0 | state->ev = ev; |
435 | 0 | state->kc = kc; |
436 | |
|
437 | 0 | PUSH_BE_U32(state->in_hdr, 0, req_blob.length); |
438 | 0 | state->in_iov[0].iov_base = (char *)state->in_hdr; |
439 | 0 | state->in_iov[0].iov_len = 4; |
440 | 0 | state->in_iov[1].iov_base = (char *)req_blob.data; |
441 | 0 | state->in_iov[1].iov_len = req_blob.length; |
442 | |
|
443 | 0 | end = timeval_current_ofs_msec(state->kc->timeout_msec); |
444 | 0 | if (!tevent_req_set_endtime(req, state->ev, end)) { |
445 | 0 | return tevent_req_post(req, state->ev); |
446 | 0 | } |
447 | | |
448 | 0 | subreq = tstream_inet_tcp_connect_send(state, |
449 | 0 | state->ev, |
450 | 0 | state->kc->local_addr, |
451 | 0 | state->kc->kdc_addr); |
452 | 0 | if (tevent_req_nomem(subreq, req)) { |
453 | 0 | return tevent_req_post(req, state->ev); |
454 | 0 | } |
455 | 0 | tevent_req_set_callback(subreq, kerberos_transaction_connect_done, req); |
456 | |
|
457 | 0 | return req; |
458 | 0 | } |
459 | | |
460 | | static void kerberos_transaction_writev_done(struct tevent_req *subreq); |
461 | | static void kerberos_transaction_read_pdu_done(struct tevent_req *subreq); |
462 | | |
463 | | static void kerberos_transaction_connect_done(struct tevent_req *subreq) |
464 | 0 | { |
465 | 0 | struct tevent_req *req = |
466 | 0 | tevent_req_callback_data(subreq, |
467 | 0 | struct tevent_req); |
468 | 0 | struct kerberos_transaction_state *state = |
469 | 0 | tevent_req_data(req, |
470 | 0 | struct kerberos_transaction_state); |
471 | 0 | int ret, sys_errno; |
472 | |
|
473 | 0 | ret = tstream_inet_tcp_connect_recv(subreq, |
474 | 0 | &sys_errno, |
475 | 0 | state, |
476 | 0 | &state->stream, |
477 | 0 | NULL); |
478 | 0 | TALLOC_FREE(subreq); |
479 | 0 | if (ret != 0) { |
480 | 0 | NTSTATUS status = map_nt_error_from_unix_common(sys_errno); |
481 | 0 | tevent_req_nterror(req, status); |
482 | 0 | return; |
483 | 0 | } |
484 | | |
485 | 0 | subreq = tstream_writev_send(state, |
486 | 0 | state->ev, |
487 | 0 | state->stream, |
488 | 0 | state->in_iov, 2); |
489 | 0 | if (tevent_req_nomem(subreq, req)) { |
490 | 0 | return; |
491 | 0 | } |
492 | 0 | tevent_req_set_callback(subreq, kerberos_transaction_writev_done, req); |
493 | |
|
494 | 0 | subreq = tstream_read_pdu_blob_send(state, |
495 | 0 | state->ev, |
496 | 0 | state->stream, |
497 | 0 | 4, /* initial_read_size */ |
498 | 0 | tstream_full_request_u32, |
499 | 0 | req); |
500 | 0 | if (tevent_req_nomem(subreq, req)) { |
501 | 0 | return; |
502 | 0 | } |
503 | 0 | tevent_req_set_callback(subreq, kerberos_transaction_read_pdu_done, req); |
504 | 0 | } |
505 | | |
506 | | static void kerberos_transaction_writev_done(struct tevent_req *subreq) |
507 | 0 | { |
508 | 0 | struct tevent_req *req = |
509 | 0 | tevent_req_callback_data(subreq, |
510 | 0 | struct tevent_req); |
511 | 0 | int ret, sys_errno; |
512 | |
|
513 | 0 | ret = tstream_writev_recv(subreq, &sys_errno); |
514 | 0 | TALLOC_FREE(subreq); |
515 | 0 | if (ret == -1) { |
516 | 0 | NTSTATUS status = map_nt_error_from_unix_common(sys_errno); |
517 | 0 | tevent_req_nterror(req, status); |
518 | 0 | return; |
519 | 0 | } |
520 | 0 | } |
521 | | |
522 | | static void kerberos_transaction_read_pdu_done(struct tevent_req *subreq) |
523 | 0 | { |
524 | 0 | struct tevent_req *req = |
525 | 0 | tevent_req_callback_data(subreq, |
526 | 0 | struct tevent_req); |
527 | 0 | struct kerberos_transaction_state *state = |
528 | 0 | tevent_req_data(req, |
529 | 0 | struct kerberos_transaction_state); |
530 | 0 | NTSTATUS status; |
531 | |
|
532 | 0 | status = tstream_read_pdu_blob_recv(subreq, state, &state->rep_blob); |
533 | 0 | TALLOC_FREE(subreq); |
534 | 0 | if (tevent_req_nterror(req, status)) { |
535 | 0 | return; |
536 | 0 | } |
537 | | |
538 | | /* |
539 | | * raw blob has the length in the first 4 bytes, |
540 | | * which we do not need here. |
541 | | */ |
542 | 0 | memmove(state->rep_blob.data, |
543 | 0 | state->rep_blob.data + 4, |
544 | 0 | state->rep_blob.length - 4); |
545 | 0 | state->rep_blob.length -= 4; |
546 | |
|
547 | 0 | tevent_req_done(req); |
548 | 0 | } |
549 | | |
550 | | static NTSTATUS kerberos_transaction_recv(struct tevent_req *req, |
551 | | TALLOC_CTX *mem_ctx, |
552 | | DATA_BLOB *rep_blob) |
553 | 0 | { |
554 | 0 | struct kerberos_transaction_state *state = |
555 | 0 | tevent_req_data(req, |
556 | 0 | struct kerberos_transaction_state); |
557 | 0 | NTSTATUS status; |
558 | |
|
559 | 0 | if (tevent_req_is_nterror(req, &status)) { |
560 | 0 | tevent_req_received(req); |
561 | 0 | return status; |
562 | 0 | } |
563 | | |
564 | 0 | rep_blob->data = talloc_move(mem_ctx, &state->rep_blob.data); |
565 | 0 | rep_blob->length = state->rep_blob.length; |
566 | |
|
567 | 0 | tevent_req_received(req); |
568 | 0 | return NT_STATUS_OK; |
569 | 0 | } |
570 | | |
571 | | static NTSTATUS kerberos_transaction( |
572 | | struct kerberos_transaction_cache *kc, |
573 | | const char *realm, |
574 | | const DATA_BLOB req_blob, |
575 | | TALLOC_CTX *mem_ctx, |
576 | | DATA_BLOB *rep_blob) |
577 | 0 | { |
578 | 0 | TALLOC_CTX *frame = talloc_stackframe(); |
579 | 0 | struct tevent_context *ev = NULL; |
580 | 0 | struct tevent_req *req = NULL; |
581 | 0 | NTSTATUS status = NT_STATUS_NO_MEMORY; |
582 | |
|
583 | 0 | ev = samba_tevent_context_init(frame); |
584 | 0 | if (ev == NULL) { |
585 | 0 | goto fail; |
586 | 0 | } |
587 | 0 | req = kerberos_transaction_send(frame, ev, kc, realm, req_blob); |
588 | 0 | if (req == NULL) { |
589 | 0 | goto fail; |
590 | 0 | } |
591 | 0 | if (!tevent_req_poll_ntstatus(req, ev, &status)) { |
592 | 0 | goto fail; |
593 | 0 | } |
594 | 0 | status = kerberos_transaction_recv(req, mem_ctx, rep_blob); |
595 | 0 | fail: |
596 | 0 | TALLOC_FREE(frame); |
597 | 0 | return status; |
598 | 0 | } |
599 | | |
600 | | #endif /* HAVE_KRB5_INIT_CREDS_STEP */ |
601 | | |
602 | | struct kerberos_kinit_passwords_ext_private { |
603 | | const char *explicit_kdc; |
604 | | uint32_t timeout_msec; |
605 | | struct kerberos_transaction_cache *kc; |
606 | | const char *password; |
607 | | const struct samr_Password *nt_hash; |
608 | | }; |
609 | | |
610 | | static krb5_error_code kerberos_kinit_passwords_ext_cb(krb5_context context, |
611 | | krb5_creds *creds, |
612 | | krb5_principal client, |
613 | | krb5_get_init_creds_opt *options, |
614 | | void *private_data) |
615 | 0 | { |
616 | 0 | struct kerberos_kinit_passwords_ext_private *ep = |
617 | 0 | (struct kerberos_kinit_passwords_ext_private *)private_data; |
618 | 0 | TALLOC_CTX *frame = talloc_stackframe(); |
619 | 0 | krb5_deltat start_time = 0; |
620 | 0 | krb5_init_creds_context ctx = NULL; |
621 | 0 | krb5_keytab keytab = NULL; |
622 | 0 | krb5_error_code ret; |
623 | 0 | #ifdef HAVE_KRB5_INIT_CREDS_STEP |
624 | 0 | DATA_BLOB rep_blob = { .length = 0, }; |
625 | 0 | #endif /* HAVE_KRB5_INIT_CREDS_STEP */ |
626 | |
|
627 | 0 | ZERO_STRUCTP(creds); |
628 | |
|
629 | 0 | ret = krb5_init_creds_init(context, |
630 | 0 | client, |
631 | 0 | NULL, /* prompter */ |
632 | 0 | NULL, /* prompter_data */ |
633 | 0 | start_time, |
634 | 0 | options, |
635 | 0 | &ctx); |
636 | 0 | if (ret) { |
637 | 0 | TALLOC_FREE(frame); |
638 | 0 | return ret; |
639 | 0 | } |
640 | | |
641 | 0 | if (ep->password != NULL) { |
642 | 0 | ret = krb5_init_creds_set_password(context, ctx, ep->password); |
643 | 0 | if (ret) { |
644 | 0 | krb5_init_creds_free(context, ctx); |
645 | 0 | TALLOC_FREE(frame); |
646 | 0 | return ret; |
647 | 0 | } |
648 | 0 | } else if (ep->nt_hash != NULL) { |
649 | 0 | const char *keytab_name = "MEMORY:kerberos_kinit_passwords_ext_cb"; |
650 | 0 | krb5_keytab_entry entry = { .principal = client, }; |
651 | |
|
652 | 0 | ret = krb5_kt_resolve(context, keytab_name, &keytab); |
653 | 0 | if (ret) { |
654 | 0 | krb5_init_creds_free(context, ctx); |
655 | 0 | TALLOC_FREE(frame); |
656 | 0 | return ret; |
657 | 0 | } |
658 | | |
659 | 0 | ret = smb_krb5_keyblock_init_contents(context, |
660 | 0 | ENCTYPE_ARCFOUR_HMAC, |
661 | 0 | ep->nt_hash->hash, |
662 | 0 | ARRAY_SIZE(ep->nt_hash->hash), |
663 | 0 | KRB5_KT_KEY(&entry)); |
664 | 0 | if (ret) { |
665 | 0 | krb5_init_creds_free(context, ctx); |
666 | 0 | krb5_kt_close(context, keytab); |
667 | 0 | TALLOC_FREE(frame); |
668 | 0 | return ret; |
669 | 0 | } |
670 | | |
671 | 0 | ret = krb5_kt_add_entry(context, keytab, &entry); |
672 | 0 | krb5_free_keyblock_contents(context, KRB5_KT_KEY(&entry)); |
673 | 0 | if (ret) { |
674 | 0 | krb5_init_creds_free(context, ctx); |
675 | 0 | krb5_kt_close(context, keytab); |
676 | 0 | TALLOC_FREE(frame); |
677 | 0 | return ret; |
678 | 0 | } |
679 | | |
680 | 0 | ret = krb5_init_creds_set_keytab(context, ctx, keytab); |
681 | 0 | if (ret) { |
682 | 0 | krb5_init_creds_free(context, ctx); |
683 | 0 | krb5_kt_close(context, keytab); |
684 | 0 | TALLOC_FREE(frame); |
685 | 0 | return ret; |
686 | 0 | } |
687 | 0 | } else { |
688 | 0 | ret = EINVAL; |
689 | 0 | krb5_init_creds_free(context, ctx); |
690 | 0 | TALLOC_FREE(frame); |
691 | 0 | return ret; |
692 | 0 | } |
693 | | |
694 | 0 | if (ep->kc == NULL) { |
695 | | /* |
696 | | * Use the logic from the krb5 libraries |
697 | | * to find the KDC |
698 | | */ |
699 | 0 | ret = krb5_init_creds_get(context, ctx); |
700 | 0 | if (ret) { |
701 | 0 | krb5_init_creds_free(context, ctx); |
702 | 0 | if (keytab != NULL) { |
703 | 0 | krb5_kt_close(context, keytab); |
704 | 0 | } |
705 | 0 | TALLOC_FREE(frame); |
706 | 0 | return ret; |
707 | 0 | } |
708 | | |
709 | 0 | goto got_creds; |
710 | 0 | } |
711 | | |
712 | 0 | #ifdef HAVE_KRB5_INIT_CREDS_STEP |
713 | 0 | while (true) { |
714 | 0 | #if defined(HAVE_KRB5_REALM_TYPE) |
715 | | /* Heimdal. */ |
716 | 0 | krb5_realm krealm = NULL; |
717 | | #else |
718 | | /* MIT */ |
719 | | krb5_data krealm = { .length = 0, }; |
720 | | #endif |
721 | 0 | unsigned int flags = 0; |
722 | 0 | const char *realm = NULL; |
723 | 0 | krb5_data in = { .length = 0, }; |
724 | 0 | krb5_data out = { .length = 0, }; |
725 | 0 | DATA_BLOB req_blob = { .length = 0, }; |
726 | 0 | NTSTATUS status; |
727 | |
|
728 | 0 | in.data = (void *)rep_blob.data; |
729 | 0 | in.length = rep_blob.length; |
730 | |
|
731 | 0 | flags = 0; |
732 | 0 | ret = krb5_init_creds_step(context, |
733 | 0 | ctx, |
734 | 0 | &in, |
735 | 0 | &out, |
736 | 0 | &krealm, |
737 | 0 | &flags); |
738 | 0 | data_blob_free(&rep_blob); |
739 | 0 | in = (krb5_data) { .length = 0, }; |
740 | 0 | if (ret) { |
741 | 0 | krb5_init_creds_free(context, ctx); |
742 | 0 | if (keytab != NULL) { |
743 | 0 | krb5_kt_close(context, keytab); |
744 | 0 | } |
745 | 0 | TALLOC_FREE(frame); |
746 | 0 | return ret; |
747 | 0 | } |
748 | | |
749 | 0 | if ((flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) { |
750 | 0 | smb_krb5_free_data_contents(context, &out); |
751 | 0 | #if defined(HAVE_KRB5_REALM_TYPE) |
752 | | /* Heimdal. */ |
753 | 0 | SAFE_FREE(krealm); |
754 | | #else |
755 | | /* MIT */ |
756 | | smb_krb5_free_data_contents(context, &krealm); |
757 | | #endif |
758 | 0 | break; |
759 | 0 | } |
760 | | |
761 | 0 | #if defined(HAVE_KRB5_REALM_TYPE) |
762 | | /* Heimdal. */ |
763 | 0 | realm = talloc_strdup(frame, krealm); |
764 | 0 | SAFE_FREE(krealm); |
765 | | #else |
766 | | /* MIT */ |
767 | | realm = talloc_strndup(frame, krealm.data, krealm.length); |
768 | | smb_krb5_free_data_contents(context, &krealm); |
769 | | #endif |
770 | 0 | if (realm == NULL) { |
771 | 0 | smb_krb5_free_data_contents(context, &out); |
772 | 0 | krb5_init_creds_free(context, ctx); |
773 | 0 | if (keytab != NULL) { |
774 | 0 | krb5_kt_close(context, keytab); |
775 | 0 | } |
776 | 0 | TALLOC_FREE(frame); |
777 | 0 | return ENOMEM; |
778 | 0 | } |
779 | | |
780 | 0 | req_blob.data = (uint8_t *)out.data; |
781 | 0 | req_blob.length = out.length; |
782 | |
|
783 | 0 | status = kerberos_transaction(ep->kc, |
784 | 0 | realm, |
785 | 0 | req_blob, |
786 | 0 | frame, |
787 | 0 | &rep_blob); |
788 | 0 | smb_krb5_free_data_contents(context, &out); |
789 | 0 | req_blob = (DATA_BLOB) { .length = 0, }; |
790 | 0 | if (!NT_STATUS_IS_OK(status)) { |
791 | 0 | ret = map_errno_from_nt_status(status); |
792 | 0 | krb5_init_creds_free(context, ctx); |
793 | 0 | if (keytab != NULL) { |
794 | 0 | krb5_kt_close(context, keytab); |
795 | 0 | } |
796 | 0 | TALLOC_FREE(frame); |
797 | 0 | return ret; |
798 | 0 | } |
799 | 0 | } |
800 | | #else /* HAVE_KRB5_INIT_CREDS_STEP */ |
801 | | #ifdef USING_EMBEDDED_HEIMDAL |
802 | | #error missing HAVE_KRB5_INIT_CREDS_STEP |
803 | | #endif /* USING_EMBEDDED_HEIMDAL */ |
804 | | /* Caller should already check! */ |
805 | | smb_panic("krb5_init_creds_step not available"); |
806 | | #endif /* HAVE_KRB5_INIT_CREDS_STEP */ |
807 | | |
808 | 0 | got_creds: |
809 | 0 | ret = krb5_init_creds_get_creds(context, ctx, creds); |
810 | 0 | if (ret) { |
811 | 0 | krb5_init_creds_free(context, ctx); |
812 | 0 | if (keytab != NULL) { |
813 | 0 | krb5_kt_close(context, keytab); |
814 | 0 | } |
815 | 0 | TALLOC_FREE(frame); |
816 | 0 | return ret; |
817 | 0 | } |
818 | | |
819 | 0 | krb5_init_creds_free(context, ctx); |
820 | 0 | if (keytab != NULL) { |
821 | 0 | krb5_kt_close(context, keytab); |
822 | 0 | } |
823 | 0 | TALLOC_FREE(frame); |
824 | 0 | return 0; |
825 | 0 | } |
826 | | |
827 | | /* |
828 | | simulate a kinit, putting the tgt in the given cache location. |
829 | | cache_name == NULL is not allowed. |
830 | | This tries all given passwords until we don't get |
831 | | KDC_ERR_PREAUTH_FAILED. |
832 | | If passwords[i] is NULL it falls back to nt_hashes[i] |
833 | | */ |
834 | | int kerberos_kinit_passwords_ext(const char *given_principal, |
835 | | uint8_t num_passwords, |
836 | | const char * const *passwords, |
837 | | const struct samr_Password * const *nt_hashes, |
838 | | uint8_t *used_idx, |
839 | | const char *explicit_kdc, |
840 | | const char *cache_name, |
841 | | TALLOC_CTX *mem_ctx, |
842 | | char **_canon_principal, |
843 | | char **_canon_realm, |
844 | | NTSTATUS *ntstatus) |
845 | 0 | { |
846 | 0 | TALLOC_CTX *frame = talloc_stackframe(); |
847 | 0 | struct kerberos_kinit_passwords_ext_private ep = { |
848 | 0 | .explicit_kdc = explicit_kdc, |
849 | 0 | .timeout_msec = 15*1000, |
850 | 0 | }; |
851 | 0 | NTSTATUS status; |
852 | 0 | krb5_error_code ret; |
853 | 0 | uint8_t i; |
854 | 0 | krb5_error_code first_ret = EINVAL; |
855 | 0 | NTSTATUS first_status = NT_STATUS_UNSUCCESSFUL; |
856 | |
|
857 | 0 | if (num_passwords == 0) { |
858 | 0 | TALLOC_FREE(frame); |
859 | 0 | return EINVAL; |
860 | 0 | } |
861 | 0 | if (num_passwords >= INT8_MAX) { |
862 | 0 | TALLOC_FREE(frame); |
863 | 0 | return EINVAL; |
864 | 0 | } |
865 | | |
866 | | #ifndef HAVE_KRB5_INIT_CREDS_STEP |
867 | | if (ep.explicit_kdc != NULL) { |
868 | | DBG_ERR("Using explicit_kdc requires krb5_init_creds_step!\n"); |
869 | | TALLOC_FREE(frame); |
870 | | return EINVAL; |
871 | | } |
872 | | #endif /* ! HAVE_KRB5_INIT_CREDS_STEP */ |
873 | | |
874 | 0 | DBG_DEBUG("explicit_kdc[%s] given_principal[%s] " |
875 | 0 | "num_passwords[%u] cache_name[%s]\n", |
876 | 0 | ep.explicit_kdc, |
877 | 0 | given_principal, |
878 | 0 | num_passwords, |
879 | 0 | cache_name); |
880 | |
|
881 | 0 | if (ep.explicit_kdc != NULL) { |
882 | 0 | status = kerberos_transaction_cache_create(ep.explicit_kdc, |
883 | 0 | ep.timeout_msec, |
884 | 0 | frame, |
885 | 0 | &ep.kc); |
886 | 0 | if (!NT_STATUS_IS_OK(status)) { |
887 | 0 | TALLOC_FREE(frame); |
888 | 0 | return map_errno_from_nt_status(status); |
889 | 0 | } |
890 | 0 | } |
891 | | |
892 | 0 | for (i = 0; i < num_passwords; i++) { |
893 | 0 | ep.password = passwords[i]; |
894 | 0 | ep.nt_hash = nt_hashes[i]; |
895 | |
|
896 | 0 | ret = kerberos_kinit_generic_once(given_principal, |
897 | 0 | kerberos_kinit_passwords_ext_cb, |
898 | 0 | &ep, |
899 | 0 | 0, /* time_offset */ |
900 | 0 | 0, /* expire_time */ |
901 | 0 | 0, /* renew_till_time */ |
902 | 0 | cache_name, |
903 | 0 | true, /* request_pac */ |
904 | 0 | NULL, /* add_netbios_addr */ |
905 | 0 | 0, /* renewable_time */ |
906 | 0 | mem_ctx, |
907 | 0 | _canon_principal, |
908 | 0 | _canon_realm, |
909 | 0 | ntstatus); |
910 | 0 | if (ret == 0) { |
911 | 0 | *used_idx = i; |
912 | 0 | TALLOC_FREE(frame); |
913 | 0 | return 0; |
914 | 0 | } |
915 | 0 | if (i == 0) { |
916 | 0 | first_ret = ret; |
917 | 0 | first_status = *ntstatus; |
918 | 0 | } |
919 | 0 | if (ret != KRB5KDC_ERR_PREAUTH_FAILED) { |
920 | 0 | *used_idx = i; |
921 | 0 | TALLOC_FREE(frame); |
922 | 0 | return ret; |
923 | 0 | } |
924 | 0 | } |
925 | | |
926 | 0 | *used_idx = 0; |
927 | 0 | *ntstatus = first_status; |
928 | 0 | TALLOC_FREE(frame); |
929 | 0 | return first_ret; |
930 | 0 | } |
931 | | |
932 | | int ads_kdestroy(const char *cc_name) |
933 | 0 | { |
934 | 0 | krb5_error_code code; |
935 | 0 | krb5_context ctx = NULL; |
936 | 0 | krb5_ccache cc = NULL; |
937 | |
|
938 | 0 | code = smb_krb5_init_context_common(&ctx); |
939 | 0 | if (code != 0) { |
940 | 0 | DBG_ERR("kerberos init context failed (%s)\n", |
941 | 0 | error_message(code)); |
942 | 0 | return code; |
943 | 0 | } |
944 | | |
945 | | /* |
946 | | * This should not happen, if |
947 | | * we need that behaviour we |
948 | | * should add an ads_kdestroy_default() |
949 | | */ |
950 | 0 | SMB_ASSERT(cc_name != NULL); |
951 | | |
952 | 0 | code = krb5_cc_resolve(ctx, cc_name, &cc); |
953 | 0 | if (code != 0) { |
954 | 0 | DBG_NOTICE("krb5_cc_resolve(%s) failed: %s\n", |
955 | 0 | cc_name, error_message(code)); |
956 | 0 | krb5_free_context(ctx); |
957 | 0 | return code; |
958 | 0 | } |
959 | | |
960 | 0 | code = krb5_cc_destroy(ctx, cc); |
961 | 0 | if (code != 0) { |
962 | 0 | DBG_ERR("krb5_cc_destroy(%s) failed: %s\n", |
963 | 0 | cc_name, error_message(code)); |
964 | 0 | } |
965 | |
|
966 | 0 | krb5_free_context (ctx); |
967 | 0 | return code; |
968 | 0 | } |
969 | | |
970 | | int create_kerberos_key_from_string(krb5_context context, |
971 | | krb5_principal host_princ, |
972 | | krb5_principal salt_princ, |
973 | | krb5_data *password, |
974 | | krb5_keyblock *key, |
975 | | krb5_enctype enctype, |
976 | | bool no_salt) |
977 | 0 | { |
978 | 0 | int ret; |
979 | | /* |
980 | | * Check if we've determined that the KDC is salting keys for this |
981 | | * principal/enctype in a non-obvious way. If it is, try to match |
982 | | * its behavior. |
983 | | */ |
984 | 0 | if (no_salt) { |
985 | 0 | KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length); |
986 | 0 | if (!KRB5_KEY_DATA(key)) { |
987 | 0 | return ENOMEM; |
988 | 0 | } |
989 | 0 | memcpy(KRB5_KEY_DATA(key), password->data, password->length); |
990 | 0 | KRB5_KEY_LENGTH(key) = password->length; |
991 | 0 | KRB5_KEY_TYPE(key) = enctype; |
992 | 0 | return 0; |
993 | 0 | } |
994 | 0 | ret = smb_krb5_create_key_from_string(context, |
995 | 0 | salt_princ ? salt_princ : host_princ, |
996 | 0 | NULL, |
997 | 0 | password, |
998 | 0 | enctype, |
999 | 0 | key); |
1000 | 0 | return ret; |
1001 | 0 | } |
1002 | | |
1003 | | /************************************************************************ |
1004 | | ************************************************************************/ |
1005 | | |
1006 | | int kerberos_kinit_password(const char *principal, |
1007 | | const char *password, |
1008 | | const char *cache_name) |
1009 | 0 | { |
1010 | 0 | return kerberos_kinit_password_ext(principal, |
1011 | 0 | password, |
1012 | 0 | 0, |
1013 | 0 | NULL, |
1014 | 0 | NULL, |
1015 | 0 | cache_name, |
1016 | 0 | False, |
1017 | 0 | False, |
1018 | 0 | 0, |
1019 | 0 | NULL, |
1020 | 0 | NULL, |
1021 | 0 | NULL, |
1022 | 0 | NULL); |
1023 | 0 | } |
1024 | | |
1025 | | /************************************************************************ |
1026 | | ************************************************************************/ |
1027 | | |
1028 | | /************************************************************************ |
1029 | | Create a string list of available kdc's, possibly searching by sitename. |
1030 | | Does DNS queries. |
1031 | | |
1032 | | If "sitename" is given, the DC's in that site are listed first. |
1033 | | |
1034 | | ************************************************************************/ |
1035 | | |
1036 | | static void add_sockaddr_unique(struct sockaddr_storage *addrs, size_t *num_addrs, |
1037 | | const struct sockaddr_storage *addr) |
1038 | 0 | { |
1039 | 0 | size_t i; |
1040 | |
|
1041 | 0 | for (i=0; i<*num_addrs; i++) { |
1042 | 0 | if (sockaddr_equal((const struct sockaddr *)&addrs[i], |
1043 | 0 | (const struct sockaddr *)addr)) { |
1044 | 0 | return; |
1045 | 0 | } |
1046 | 0 | } |
1047 | 0 | addrs[i] = *addr; |
1048 | 0 | *num_addrs += 1; |
1049 | 0 | } |
1050 | | |
1051 | | /* print_canonical_sockaddr prints an ipv6 addr in the form of |
1052 | | * [ipv6.addr]. This string, when put in a generated krb5.conf file is not |
1053 | | * always properly dealt with by some older krb5 libraries. Adding the hard-coded |
1054 | | * portnumber workarounds the issue. - gd */ |
1055 | | |
1056 | | static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx, |
1057 | | const struct sockaddr_storage *pss) |
1058 | 0 | { |
1059 | 0 | char *str = NULL; |
1060 | |
|
1061 | 0 | str = print_canonical_sockaddr(mem_ctx, pss); |
1062 | 0 | if (str == NULL) { |
1063 | 0 | return NULL; |
1064 | 0 | } |
1065 | | |
1066 | 0 | if (pss->ss_family != AF_INET6) { |
1067 | 0 | return str; |
1068 | 0 | } |
1069 | | |
1070 | 0 | #if defined(HAVE_IPV6) |
1071 | 0 | str = talloc_asprintf_append(str, ":88"); |
1072 | 0 | #endif |
1073 | 0 | return str; |
1074 | 0 | } |
1075 | | |
1076 | | static char *get_kdc_ip_string(char *mem_ctx, |
1077 | | const char *realm, |
1078 | | const char *sitename, |
1079 | | const struct sockaddr_storage *pss) |
1080 | 0 | { |
1081 | 0 | TALLOC_CTX *frame = talloc_stackframe(); |
1082 | 0 | size_t i; |
1083 | 0 | struct samba_sockaddr *ip_sa_site = NULL; |
1084 | 0 | struct samba_sockaddr *ip_sa_nonsite = NULL; |
1085 | 0 | struct samba_sockaddr sa = {0}; |
1086 | 0 | size_t count_site = 0; |
1087 | 0 | size_t count_nonsite; |
1088 | 0 | size_t num_dcs; |
1089 | 0 | struct sockaddr_storage *dc_addrs = NULL; |
1090 | 0 | struct tsocket_address **dc_addrs2 = NULL; |
1091 | 0 | char *result = NULL; |
1092 | 0 | struct netlogon_samlogon_response **responses = NULL; |
1093 | 0 | NTSTATUS status; |
1094 | 0 | bool ok; |
1095 | 0 | char *kdc_str = NULL; |
1096 | 0 | char *canon_sockaddr = NULL; |
1097 | |
|
1098 | 0 | kdc_str = talloc_strdup(frame, ""); |
1099 | |
|
1100 | 0 | if (pss != NULL) { |
1101 | 0 | canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); |
1102 | 0 | if (canon_sockaddr == NULL) { |
1103 | 0 | goto out; |
1104 | 0 | } |
1105 | | |
1106 | 0 | talloc_asprintf_addbuf(&kdc_str, |
1107 | 0 | "\t\tkdc = %s\n", |
1108 | 0 | canon_sockaddr); |
1109 | |
|
1110 | 0 | ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); |
1111 | 0 | if (!ok) { |
1112 | 0 | goto out; |
1113 | 0 | } |
1114 | 0 | } |
1115 | | |
1116 | | /* |
1117 | | * First get the KDC's only in this site, the rest will be |
1118 | | * appended later |
1119 | | */ |
1120 | | |
1121 | 0 | if (sitename) { |
1122 | 0 | status = get_kdc_list(frame, |
1123 | 0 | realm, |
1124 | 0 | sitename, |
1125 | 0 | &ip_sa_site, |
1126 | 0 | &count_site); |
1127 | 0 | if (!NT_STATUS_IS_OK(status)) { |
1128 | 0 | DBG_ERR("get_kdc_list fail %s\n", |
1129 | 0 | nt_errstr(status)); |
1130 | 0 | goto out; |
1131 | 0 | } |
1132 | 0 | DBG_DEBUG("got %zu addresses from site %s search\n", |
1133 | 0 | count_site, |
1134 | 0 | sitename); |
1135 | 0 | } |
1136 | | |
1137 | | /* Get all KDC's. */ |
1138 | | |
1139 | 0 | status = get_kdc_list(frame, |
1140 | 0 | realm, |
1141 | 0 | NULL, |
1142 | 0 | &ip_sa_nonsite, |
1143 | 0 | &count_nonsite); |
1144 | 0 | if (!NT_STATUS_IS_OK(status)) { |
1145 | 0 | DBG_ERR("get_kdc_list (site-less) fail %s\n", |
1146 | 0 | nt_errstr(status)); |
1147 | 0 | goto out; |
1148 | 0 | } |
1149 | 0 | DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite); |
1150 | |
|
1151 | 0 | if (count_site + count_nonsite < count_site) { |
1152 | | /* Wrap check. */ |
1153 | 0 | DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n"); |
1154 | 0 | goto out; |
1155 | 0 | } |
1156 | | |
1157 | | |
1158 | 0 | dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage, |
1159 | 0 | count_site + count_nonsite); |
1160 | 0 | if (dc_addrs == NULL) { |
1161 | 0 | goto out; |
1162 | 0 | } |
1163 | | |
1164 | 0 | num_dcs = 0; |
1165 | |
|
1166 | 0 | for (i = 0; i < count_site; i++) { |
1167 | 0 | if (!sockaddr_equal(&sa.u.sa, &ip_sa_site[i].u.sa)) { |
1168 | 0 | add_sockaddr_unique(dc_addrs, &num_dcs, |
1169 | 0 | &ip_sa_site[i].u.ss); |
1170 | 0 | } |
1171 | 0 | } |
1172 | |
|
1173 | 0 | for (i = 0; i < count_nonsite; i++) { |
1174 | 0 | if (!sockaddr_equal(&sa.u.sa, &ip_sa_nonsite[i].u.sa)) { |
1175 | 0 | add_sockaddr_unique(dc_addrs, &num_dcs, |
1176 | 0 | &ip_sa_nonsite[i].u.ss); |
1177 | 0 | } |
1178 | 0 | } |
1179 | |
|
1180 | 0 | DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); |
1181 | 0 | if (num_dcs == 0) { |
1182 | | /* |
1183 | | * We do not have additional KDCs, but if we have one passed |
1184 | | * in via `pss` just use that one, otherwise fail |
1185 | | */ |
1186 | 0 | if (pss != NULL) { |
1187 | 0 | result = talloc_move(mem_ctx, &kdc_str); |
1188 | 0 | } |
1189 | 0 | goto out; |
1190 | 0 | } |
1191 | | |
1192 | 0 | dc_addrs2 = talloc_zero_array(talloc_tos(), |
1193 | 0 | struct tsocket_address *, |
1194 | 0 | num_dcs); |
1195 | 0 | if (dc_addrs2 == NULL) { |
1196 | 0 | goto out; |
1197 | 0 | } |
1198 | | |
1199 | 0 | for (i=0; i<num_dcs; i++) { |
1200 | 0 | char addr[INET6_ADDRSTRLEN]; |
1201 | 0 | int ret; |
1202 | |
|
1203 | 0 | print_sockaddr(addr, sizeof(addr), &dc_addrs[i]); |
1204 | |
|
1205 | 0 | ret = tsocket_address_inet_from_strings(dc_addrs2, "ip", |
1206 | 0 | addr, LDAP_PORT, |
1207 | 0 | &dc_addrs2[i]); |
1208 | 0 | if (ret != 0) { |
1209 | 0 | status = map_nt_error_from_unix(errno); |
1210 | 0 | DEBUG(2,("Failed to create tsocket_address for %s - %s\n", |
1211 | 0 | addr, nt_errstr(status))); |
1212 | 0 | goto out; |
1213 | 0 | } |
1214 | 0 | } |
1215 | | |
1216 | 0 | status = netlogon_pings(talloc_tos(), /* mem_ctx */ |
1217 | 0 | lp_client_netlogon_ping_protocol(), /* proto */ |
1218 | 0 | dc_addrs2, /* servers */ |
1219 | 0 | num_dcs, /* num_servers */ |
1220 | 0 | (struct netlogon_ping_filter){ |
1221 | 0 | .ntversion = NETLOGON_NT_VERSION_5 | |
1222 | 0 | NETLOGON_NT_VERSION_5EX, |
1223 | 0 | .domain = realm, |
1224 | 0 | .hostname = lp_netbios_name(), |
1225 | 0 | .acct_ctrl = -1, |
1226 | 0 | .required_flags = DS_KDC_REQUIRED, |
1227 | 0 | }, |
1228 | 0 | MIN(num_dcs, 3), /* wanted_servers */ |
1229 | 0 | timeval_current_ofs(3, 0), /* timeout */ |
1230 | 0 | &responses); |
1231 | 0 | TALLOC_FREE(dc_addrs2); |
1232 | |
|
1233 | 0 | if (!NT_STATUS_IS_OK(status)) { |
1234 | 0 | DBG_DEBUG("netlogon_pings failed: %s\n", nt_errstr(status)); |
1235 | | /* |
1236 | | * netlogon_pings() failed, but if we have one passed |
1237 | | * in via `pss` just just use that one, otherwise fail |
1238 | | */ |
1239 | 0 | if (pss != NULL) { |
1240 | 0 | result = talloc_move(mem_ctx, &kdc_str); |
1241 | 0 | } |
1242 | 0 | goto out; |
1243 | 0 | } |
1244 | | |
1245 | 0 | for (i=0; i<num_dcs; i++) { |
1246 | 0 | struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL; |
1247 | 0 | char addr[INET6_ADDRSTRLEN]; |
1248 | |
|
1249 | 0 | if (responses[i] == NULL) { |
1250 | 0 | continue; |
1251 | 0 | } |
1252 | | |
1253 | 0 | if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) { |
1254 | 0 | continue; |
1255 | 0 | } |
1256 | | |
1257 | 0 | print_sockaddr(addr, sizeof(addr), &dc_addrs[i]); |
1258 | |
|
1259 | 0 | cldap_reply = &responses[i]->data.nt5_ex; |
1260 | |
|
1261 | 0 | if (cldap_reply->pdc_dns_name != NULL) { |
1262 | 0 | bool has_entry = has_negative_conn_cache_entry( |
1263 | 0 | realm, |
1264 | 0 | cldap_reply->pdc_dns_name); |
1265 | 0 | if (has_entry) { |
1266 | | /* propagate blacklisting from name to ip */ |
1267 | 0 | add_failed_connection_entry( |
1268 | 0 | realm, |
1269 | 0 | addr, |
1270 | 0 | NT_STATUS_UNSUCCESSFUL); |
1271 | 0 | continue; |
1272 | 0 | } |
1273 | 0 | } |
1274 | | |
1275 | | /* Append to the string - inefficient but not done often. */ |
1276 | 0 | talloc_asprintf_addbuf(&kdc_str, |
1277 | 0 | "\t\tkdc = %s\n", |
1278 | 0 | print_canonical_sockaddr_with_port( |
1279 | 0 | mem_ctx, &dc_addrs[i])); |
1280 | 0 | } |
1281 | |
|
1282 | 0 | result = talloc_move(mem_ctx, &kdc_str); |
1283 | 0 | out: |
1284 | 0 | if (result != NULL) { |
1285 | 0 | DBG_DEBUG("Returning\n%s\n", result); |
1286 | 0 | } else { |
1287 | 0 | DBG_NOTICE("Failed to get KDC ip address\n"); |
1288 | 0 | } |
1289 | |
|
1290 | 0 | TALLOC_FREE(frame); |
1291 | 0 | return result; |
1292 | 0 | } |
1293 | | |
1294 | | /************************************************************************ |
1295 | | Create a specific krb5.conf file in the private directory pointing |
1296 | | at a specific kdc for a realm. Keyed off domain name. Sets |
1297 | | KRB5_CONFIG environment variable to point to this file. Must be |
1298 | | run as root or will fail (which is a good thing :-). |
1299 | | ************************************************************************/ |
1300 | | |
1301 | | #if !defined(SAMBA4_USES_HEIMDAL) /* MIT version */ |
1302 | | static char *get_enctypes(TALLOC_CTX *mem_ctx) |
1303 | | { |
1304 | | char *aes_enctypes = NULL; |
1305 | | const char *legacy_enctypes = ""; |
1306 | | char *enctypes = NULL; |
1307 | | |
1308 | | aes_enctypes = talloc_strdup(mem_ctx, ""); |
1309 | | if (aes_enctypes == NULL) { |
1310 | | goto done; |
1311 | | } |
1312 | | |
1313 | | if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || |
1314 | | lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) { |
1315 | | aes_enctypes = talloc_asprintf_append( |
1316 | | aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); |
1317 | | if (aes_enctypes == NULL) { |
1318 | | goto done; |
1319 | | } |
1320 | | aes_enctypes = talloc_asprintf_append( |
1321 | | aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); |
1322 | | if (aes_enctypes == NULL) { |
1323 | | goto done; |
1324 | | } |
1325 | | } |
1326 | | |
1327 | | if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED && |
1328 | | (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || |
1329 | | lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) { |
1330 | | legacy_enctypes = "RC4-HMAC"; |
1331 | | } |
1332 | | |
1333 | | enctypes = |
1334 | | talloc_asprintf(mem_ctx, "\tdefault_tgs_enctypes = %s %s\n" |
1335 | | "\tdefault_tkt_enctypes = %s %s\n" |
1336 | | "\tpreferred_enctypes = %s %s\n", |
1337 | | aes_enctypes, legacy_enctypes, aes_enctypes, |
1338 | | legacy_enctypes, aes_enctypes, legacy_enctypes); |
1339 | | done: |
1340 | | TALLOC_FREE(aes_enctypes); |
1341 | | return enctypes; |
1342 | | } |
1343 | | #else /* Heimdal version */ |
1344 | | static char *get_enctypes(TALLOC_CTX *mem_ctx) |
1345 | 0 | { |
1346 | 0 | const char *aes_enctypes = ""; |
1347 | 0 | const char *legacy_enctypes = ""; |
1348 | 0 | char *enctypes = NULL; |
1349 | |
|
1350 | 0 | if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || |
1351 | 0 | lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) { |
1352 | 0 | aes_enctypes = |
1353 | 0 | "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96"; |
1354 | 0 | } |
1355 | |
|
1356 | 0 | if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || |
1357 | 0 | lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) { |
1358 | 0 | legacy_enctypes = "arcfour-hmac-md5"; |
1359 | 0 | } |
1360 | |
|
1361 | 0 | enctypes = talloc_asprintf(mem_ctx, "\tdefault_etypes = %s %s\n", |
1362 | 0 | aes_enctypes, legacy_enctypes); |
1363 | |
|
1364 | 0 | return enctypes; |
1365 | 0 | } |
1366 | | #endif |
1367 | | |
1368 | | bool create_local_private_krb5_conf_for_domain(const char *realm, |
1369 | | const char *domain, |
1370 | | const char *sitename, |
1371 | | const struct sockaddr_storage *pss) |
1372 | 0 | { |
1373 | 0 | char *dname; |
1374 | 0 | char *tmpname = NULL; |
1375 | 0 | char *fname = NULL; |
1376 | 0 | char *file_contents = NULL; |
1377 | 0 | char *kdc_ip_string = NULL; |
1378 | 0 | size_t flen = 0; |
1379 | 0 | ssize_t ret; |
1380 | 0 | int fd; |
1381 | 0 | char *realm_upper = NULL; |
1382 | 0 | bool result = false; |
1383 | 0 | char *enctypes = NULL; |
1384 | 0 | const char *include_system_krb5 = ""; |
1385 | 0 | mode_t mask; |
1386 | | /* |
1387 | | * The default will be 15 seconds, it can be changed in the smb.conf: |
1388 | | * [global] |
1389 | | * krb5:request_timeout = 30 |
1390 | | */ |
1391 | 0 | int timeout_sec = lp_parm_int(-1, |
1392 | 0 | "krb5", |
1393 | 0 | "request_timeout", |
1394 | 0 | 15 /* default */); |
1395 | |
|
1396 | 0 | if (!lp_create_krb5_conf()) { |
1397 | 0 | return false; |
1398 | 0 | } |
1399 | | |
1400 | 0 | if (realm == NULL) { |
1401 | 0 | DEBUG(0, ("No realm has been specified! Do you really want to " |
1402 | 0 | "join an Active Directory server?\n")); |
1403 | 0 | return false; |
1404 | 0 | } |
1405 | | |
1406 | 0 | if (domain == NULL) { |
1407 | 0 | return false; |
1408 | 0 | } |
1409 | | |
1410 | 0 | dname = lock_path(talloc_tos(), "smb_krb5"); |
1411 | 0 | if (!dname) { |
1412 | 0 | return false; |
1413 | 0 | } |
1414 | 0 | if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) { |
1415 | 0 | DEBUG(0,("create_local_private_krb5_conf_for_domain: " |
1416 | 0 | "failed to create directory %s. Error was %s\n", |
1417 | 0 | dname, strerror(errno) )); |
1418 | 0 | goto done; |
1419 | 0 | } |
1420 | | |
1421 | 0 | tmpname = lock_path(talloc_tos(), "smb_tmp_krb5.XXXXXX"); |
1422 | 0 | if (!tmpname) { |
1423 | 0 | goto done; |
1424 | 0 | } |
1425 | | |
1426 | 0 | fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain); |
1427 | 0 | if (!fname) { |
1428 | 0 | goto done; |
1429 | 0 | } |
1430 | | |
1431 | 0 | DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n", |
1432 | 0 | fname, realm, domain )); |
1433 | |
|
1434 | 0 | realm_upper = talloc_strdup(fname, realm); |
1435 | 0 | if (!strupper_m(realm_upper)) { |
1436 | 0 | goto done; |
1437 | 0 | } |
1438 | | |
1439 | 0 | kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss); |
1440 | 0 | if (!kdc_ip_string) { |
1441 | 0 | goto done; |
1442 | 0 | } |
1443 | | |
1444 | 0 | enctypes = get_enctypes(fname); |
1445 | 0 | if (enctypes == NULL) { |
1446 | 0 | goto done; |
1447 | 0 | } |
1448 | | |
1449 | | #if !defined(SAMBA4_USES_HEIMDAL) |
1450 | | if (lp_include_system_krb5_conf()) { |
1451 | | include_system_krb5 = "include /etc/krb5.conf"; |
1452 | | } |
1453 | | #endif |
1454 | | |
1455 | | /* |
1456 | | * We are setting 'dns_lookup_kdc' to true, because we want to lookup |
1457 | | * KDCs which are not configured via DNS SRV records, eg. if we do: |
1458 | | * |
1459 | | * net ads join -Uadmin@otherdomain |
1460 | | */ |
1461 | 0 | file_contents = |
1462 | 0 | talloc_asprintf(fname, |
1463 | 0 | "[libdefaults]\n" |
1464 | 0 | #ifdef SAMBA4_USES_HEIMDAL |
1465 | 0 | "\tkdc_timeout = %d\n" |
1466 | | #else |
1467 | | "\trequest_timeout = %ds\n" |
1468 | | "\tudp_preference_limit = 0\n" |
1469 | | #endif |
1470 | 0 | "\tdefault_realm = %s\n" |
1471 | 0 | "%s" |
1472 | 0 | "\tdns_lookup_realm = false\n" |
1473 | 0 | "\tdns_lookup_kdc = true\n\n" |
1474 | 0 | "[realms]\n\t%s = {\n" |
1475 | 0 | "%s\t}\n" |
1476 | 0 | "\t%s = {\n" |
1477 | 0 | "%s\t}\n" |
1478 | 0 | "%s\n", |
1479 | 0 | timeout_sec, |
1480 | 0 | realm_upper, |
1481 | 0 | enctypes, |
1482 | 0 | realm_upper, |
1483 | 0 | kdc_ip_string, |
1484 | 0 | domain, |
1485 | 0 | kdc_ip_string, |
1486 | 0 | include_system_krb5); |
1487 | |
|
1488 | 0 | if (!file_contents) { |
1489 | 0 | goto done; |
1490 | 0 | } |
1491 | | |
1492 | 0 | flen = strlen(file_contents); |
1493 | |
|
1494 | 0 | mask = umask(S_IRWXO | S_IRWXG); |
1495 | 0 | fd = mkstemp(tmpname); |
1496 | 0 | umask(mask); |
1497 | 0 | if (fd == -1) { |
1498 | 0 | DBG_ERR("mkstemp failed, for file %s. Errno %s\n", |
1499 | 0 | tmpname, |
1500 | 0 | strerror(errno)); |
1501 | 0 | goto done; |
1502 | 0 | } |
1503 | | |
1504 | 0 | if (fchmod(fd, 0644)==-1) { |
1505 | 0 | DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s." |
1506 | 0 | " Errno %s\n", |
1507 | 0 | tmpname, strerror(errno) )); |
1508 | 0 | unlink(tmpname); |
1509 | 0 | close(fd); |
1510 | 0 | goto done; |
1511 | 0 | } |
1512 | | |
1513 | 0 | ret = write(fd, file_contents, flen); |
1514 | 0 | if (flen != ret) { |
1515 | 0 | DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed," |
1516 | 0 | " returned %d (should be %u). Errno %s\n", |
1517 | 0 | (int)ret, (unsigned int)flen, strerror(errno) )); |
1518 | 0 | unlink(tmpname); |
1519 | 0 | close(fd); |
1520 | 0 | goto done; |
1521 | 0 | } |
1522 | 0 | if (close(fd)==-1) { |
1523 | 0 | DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed." |
1524 | 0 | " Errno %s\n", strerror(errno) )); |
1525 | 0 | unlink(tmpname); |
1526 | 0 | goto done; |
1527 | 0 | } |
1528 | | |
1529 | 0 | if (rename(tmpname, fname) == -1) { |
1530 | 0 | DEBUG(0,("create_local_private_krb5_conf_for_domain: rename " |
1531 | 0 | "of %s to %s failed. Errno %s\n", |
1532 | 0 | tmpname, fname, strerror(errno) )); |
1533 | 0 | unlink(tmpname); |
1534 | 0 | goto done; |
1535 | 0 | } |
1536 | | |
1537 | 0 | DBG_INFO("wrote file %s with realm %s KDC list:\n%s\n", |
1538 | 0 | fname, realm_upper, kdc_ip_string); |
1539 | | |
1540 | | /* Set the environment variable to this file. */ |
1541 | 0 | setenv("KRB5_CONFIG", fname, 1); |
1542 | |
|
1543 | 0 | result = true; |
1544 | |
|
1545 | | #if defined(OVERWRITE_SYSTEM_KRB5_CONF) |
1546 | | |
1547 | | #define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf" |
1548 | | /* Insanity, sheer insanity..... */ |
1549 | | |
1550 | | if (strequal(realm, lp_realm())) { |
1551 | | SMB_STRUCT_STAT sbuf; |
1552 | | |
1553 | | if (sys_lstat(SYSTEM_KRB5_CONF_PATH, &sbuf, false) == 0) { |
1554 | | if (S_ISLNK(sbuf.st_ex_mode) && sbuf.st_ex_size) { |
1555 | | int lret; |
1556 | | size_t alloc_size = sbuf.st_ex_size + 1; |
1557 | | char *linkpath = talloc_array(talloc_tos(), char, |
1558 | | alloc_size); |
1559 | | if (!linkpath) { |
1560 | | goto done; |
1561 | | } |
1562 | | lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath, |
1563 | | alloc_size - 1); |
1564 | | if (lret == -1) { |
1565 | | TALLOC_FREE(linkpath); |
1566 | | goto done; |
1567 | | } |
1568 | | linkpath[lret] = '\0'; |
1569 | | |
1570 | | if (strcmp(linkpath, fname) == 0) { |
1571 | | /* Symlink already exists. */ |
1572 | | TALLOC_FREE(linkpath); |
1573 | | goto done; |
1574 | | } |
1575 | | TALLOC_FREE(linkpath); |
1576 | | } |
1577 | | } |
1578 | | |
1579 | | /* Try and replace with a symlink. */ |
1580 | | if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) { |
1581 | | const char *newpath = SYSTEM_KRB5_CONF_PATH ".saved"; |
1582 | | if (errno != EEXIST) { |
1583 | | DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink " |
1584 | | "of %s to %s failed. Errno %s\n", |
1585 | | fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) )); |
1586 | | goto done; /* Not a fatal error. */ |
1587 | | } |
1588 | | |
1589 | | /* Yes, this is a race condition... too bad. */ |
1590 | | if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) { |
1591 | | DEBUG(0,("create_local_private_krb5_conf_for_domain: rename " |
1592 | | "of %s to %s failed. Errno %s\n", |
1593 | | SYSTEM_KRB5_CONF_PATH, newpath, |
1594 | | strerror(errno) )); |
1595 | | goto done; /* Not a fatal error. */ |
1596 | | } |
1597 | | |
1598 | | if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) { |
1599 | | DEBUG(0,("create_local_private_krb5_conf_for_domain: " |
1600 | | "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n", |
1601 | | fname, strerror(errno) )); |
1602 | | goto done; /* Not a fatal error. */ |
1603 | | } |
1604 | | } |
1605 | | } |
1606 | | #endif |
1607 | |
|
1608 | 0 | done: |
1609 | 0 | TALLOC_FREE(tmpname); |
1610 | 0 | TALLOC_FREE(dname); |
1611 | |
|
1612 | 0 | return result; |
1613 | 0 | } |
1614 | | #endif |