ad.c revision 1.3
1 1.3 pettai /* $NetBSD: ad.c,v 1.3 2014/04/24 13:45:34 pettai Exp $ */ 2 1.1 elric 3 1.1 elric /* 4 1.1 elric * Copyright (c) 2004 Kungliga Tekniska Hgskolan 5 1.1 elric * (Royal Institute of Technology, Stockholm, Sweden). 6 1.1 elric * All rights reserved. 7 1.1 elric * 8 1.1 elric * Redistribution and use in source and binary forms, with or without 9 1.1 elric * modification, are permitted provided that the following conditions 10 1.1 elric * are met: 11 1.1 elric * 12 1.1 elric * 1. Redistributions of source code must retain the above copyright 13 1.1 elric * notice, this list of conditions and the following disclaimer. 14 1.1 elric * 15 1.1 elric * 2. Redistributions in binary form must reproduce the above copyright 16 1.1 elric * notice, this list of conditions and the following disclaimer in the 17 1.1 elric * documentation and/or other materials provided with the distribution. 18 1.1 elric * 19 1.1 elric * 3. Neither the name of the Institute nor the names of its contributors 20 1.1 elric * may be used to endorse or promote products derived from this software 21 1.1 elric * without specific prior written permission. 22 1.1 elric * 23 1.1 elric * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 1.1 elric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 1.1 elric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 1.1 elric * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 1.1 elric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 1.1 elric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 1.1 elric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 1.1 elric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 1.1 elric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 1.1 elric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 1.1 elric * SUCH DAMAGE. 34 1.1 elric */ 35 1.1 elric 36 1.1 elric #define HAVE_TSASL 1 37 1.1 elric 38 1.1 elric #include "kadm5_locl.h" 39 1.1 elric #if 1 40 1.1 elric #undef OPENLDAP 41 1.1 elric #undef HAVE_TSASL 42 1.1 elric #endif 43 1.1 elric #ifdef OPENLDAP 44 1.1 elric #include <ldap.h> 45 1.1 elric #ifdef HAVE_TSASL 46 1.1 elric #include <tsasl.h> 47 1.1 elric #endif 48 1.1 elric #include <krb5/resolve.h> 49 1.1 elric #include <krb5/base64.h> 50 1.1 elric #endif 51 1.1 elric 52 1.3 pettai __RCSID("NetBSD"); 53 1.1 elric 54 1.1 elric #ifdef OPENLDAP 55 1.1 elric 56 1.1 elric #define CTX2LP(context) ((LDAP *)((context)->ldap_conn)) 57 1.1 elric #define CTX2BASE(context) ((context)->base_dn) 58 1.1 elric 59 1.1 elric /* 60 1.1 elric * userAccountControl 61 1.1 elric */ 62 1.1 elric 63 1.1 elric #define UF_SCRIPT 0x00000001 64 1.1 elric #define UF_ACCOUNTDISABLE 0x00000002 65 1.1 elric #define UF_UNUSED_0 0x00000004 66 1.1 elric #define UF_HOMEDIR_REQUIRED 0x00000008 67 1.1 elric #define UF_LOCKOUT 0x00000010 68 1.1 elric #define UF_PASSWD_NOTREQD 0x00000020 69 1.1 elric #define UF_PASSWD_CANT_CHANGE 0x00000040 70 1.1 elric #define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080 71 1.1 elric #define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 72 1.1 elric #define UF_NORMAL_ACCOUNT 0x00000200 73 1.1 elric #define UF_UNUSED_1 0x00000400 74 1.1 elric #define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800 75 1.1 elric #define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000 76 1.1 elric #define UF_SERVER_TRUST_ACCOUNT 0x00002000 77 1.1 elric #define UF_UNUSED_2 0x00004000 78 1.1 elric #define UF_UNUSED_3 0x00008000 79 1.1 elric #define UF_PASSWD_NOT_EXPIRE 0x00010000 80 1.1 elric #define UF_MNS_LOGON_ACCOUNT 0x00020000 81 1.1 elric #define UF_SMARTCARD_REQUIRED 0x00040000 82 1.1 elric #define UF_TRUSTED_FOR_DELEGATION 0x00080000 83 1.1 elric #define UF_NOT_DELEGATED 0x00100000 84 1.1 elric #define UF_USE_DES_KEY_ONLY 0x00200000 85 1.1 elric #define UF_DONT_REQUIRE_PREAUTH 0x00400000 86 1.1 elric #define UF_UNUSED_4 0x00800000 87 1.1 elric #define UF_UNUSED_5 0x01000000 88 1.1 elric #define UF_UNUSED_6 0x02000000 89 1.1 elric #define UF_UNUSED_7 0x04000000 90 1.1 elric #define UF_UNUSED_8 0x08000000 91 1.1 elric #define UF_UNUSED_9 0x10000000 92 1.1 elric #define UF_UNUSED_10 0x20000000 93 1.1 elric #define UF_UNUSED_11 0x40000000 94 1.1 elric #define UF_UNUSED_12 0x80000000 95 1.1 elric 96 1.1 elric /* 97 1.1 elric * 98 1.1 elric */ 99 1.1 elric 100 1.1 elric #ifndef HAVE_TSASL 101 1.1 elric static int 102 1.1 elric sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *interact) 103 1.1 elric { 104 1.1 elric return LDAP_SUCCESS; 105 1.1 elric } 106 1.1 elric #endif 107 1.1 elric 108 1.1 elric #if 0 109 1.1 elric static Sockbuf_IO ldap_tsasl_io = { 110 1.1 elric NULL, /* sbi_setup */ 111 1.1 elric NULL, /* sbi_remove */ 112 1.1 elric NULL, /* sbi_ctrl */ 113 1.1 elric NULL, /* sbi_read */ 114 1.1 elric NULL, /* sbi_write */ 115 1.1 elric NULL /* sbi_close */ 116 1.1 elric }; 117 1.1 elric #endif 118 1.1 elric 119 1.1 elric #ifdef HAVE_TSASL 120 1.1 elric static int 121 1.1 elric ldap_tsasl_bind_s(LDAP *ld, 122 1.1 elric LDAP_CONST char *dn, 123 1.1 elric LDAPControl **serverControls, 124 1.1 elric LDAPControl **clientControls, 125 1.1 elric const char *host) 126 1.1 elric { 127 1.1 elric char *attrs[] = { "supportedSASLMechanisms", NULL }; 128 1.1 elric struct tsasl_peer *peer = NULL; 129 1.1 elric struct tsasl_buffer in, out; 130 1.1 elric struct berval ccred, *scred; 131 1.1 elric LDAPMessage *m, *m0; 132 1.1 elric const char *mech; 133 1.1 elric char **vals; 134 1.1 elric int ret, rc; 135 1.1 elric 136 1.1 elric ret = tsasl_peer_init(TSASL_FLAGS_INITIATOR | TSASL_FLAGS_CLEAR, 137 1.1 elric "ldap", host, &peer); 138 1.1 elric if (ret != TSASL_DONE) { 139 1.1 elric rc = LDAP_LOCAL_ERROR; 140 1.1 elric goto out; 141 1.1 elric } 142 1.1 elric 143 1.1 elric rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &m0); 144 1.1 elric if (rc != LDAP_SUCCESS) 145 1.1 elric goto out; 146 1.1 elric 147 1.1 elric m = ldap_first_entry(ld, m0); 148 1.1 elric if (m == NULL) { 149 1.1 elric ldap_msgfree(m0); 150 1.1 elric goto out; 151 1.1 elric } 152 1.1 elric 153 1.1 elric vals = ldap_get_values(ld, m, "supportedSASLMechanisms"); 154 1.1 elric if (vals == NULL) { 155 1.1 elric ldap_msgfree(m0); 156 1.1 elric goto out; 157 1.1 elric } 158 1.1 elric 159 1.1 elric ret = tsasl_find_best_mech(peer, vals, &mech); 160 1.1 elric if (ret) { 161 1.1 elric ldap_msgfree(m0); 162 1.1 elric goto out; 163 1.1 elric } 164 1.1 elric 165 1.1 elric ldap_msgfree(m0); 166 1.1 elric 167 1.1 elric ret = tsasl_select_mech(peer, mech); 168 1.1 elric if (ret != TSASL_DONE) { 169 1.1 elric rc = LDAP_LOCAL_ERROR; 170 1.1 elric goto out; 171 1.1 elric } 172 1.1 elric 173 1.1 elric in.tb_data = NULL; 174 1.1 elric in.tb_size = 0; 175 1.1 elric 176 1.1 elric do { 177 1.1 elric ret = tsasl_request(peer, &in, &out); 178 1.1 elric if (in.tb_size != 0) { 179 1.1 elric free(in.tb_data); 180 1.1 elric in.tb_data = NULL; 181 1.1 elric in.tb_size = 0; 182 1.1 elric } 183 1.1 elric if (ret != TSASL_DONE && ret != TSASL_CONTINUE) { 184 1.1 elric rc = LDAP_AUTH_UNKNOWN; 185 1.1 elric goto out; 186 1.1 elric } 187 1.1 elric 188 1.1 elric ccred.bv_val = out.tb_data; 189 1.1 elric ccred.bv_len = out.tb_size; 190 1.1 elric 191 1.1 elric rc = ldap_sasl_bind_s(ld, dn, mech, &ccred, 192 1.1 elric serverControls, clientControls, &scred); 193 1.1 elric tsasl_buffer_free(&out); 194 1.1 elric 195 1.1 elric if (rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS) { 196 1.1 elric if(scred && scred->bv_len) 197 1.1 elric ber_bvfree(scred); 198 1.1 elric goto out; 199 1.1 elric } 200 1.1 elric 201 1.1 elric in.tb_data = malloc(scred->bv_len); 202 1.1 elric if (in.tb_data == NULL) { 203 1.1 elric rc = LDAP_LOCAL_ERROR; 204 1.1 elric goto out; 205 1.1 elric } 206 1.1 elric memcpy(in.tb_data, scred->bv_val, scred->bv_len); 207 1.1 elric in.tb_size = scred->bv_len; 208 1.1 elric ber_bvfree(scred); 209 1.1 elric 210 1.1 elric } while (rc == LDAP_SASL_BIND_IN_PROGRESS); 211 1.1 elric 212 1.1 elric out: 213 1.1 elric if (rc == LDAP_SUCCESS) { 214 1.1 elric #if 0 215 1.1 elric ber_sockbuf_add_io(ld->ld_conns->lconn_sb, &ldap_tsasl_io, 216 1.1 elric LBER_SBIOD_LEVEL_APPLICATION, peer); 217 1.1 elric 218 1.1 elric #endif 219 1.1 elric } else if (peer != NULL) 220 1.1 elric tsasl_peer_free(peer); 221 1.1 elric 222 1.1 elric return rc; 223 1.1 elric } 224 1.1 elric #endif /* HAVE_TSASL */ 225 1.1 elric 226 1.1 elric 227 1.1 elric static int 228 1.1 elric check_ldap(kadm5_ad_context *context, int ret) 229 1.1 elric { 230 1.1 elric switch (ret) { 231 1.1 elric case LDAP_SUCCESS: 232 1.1 elric return 0; 233 1.1 elric case LDAP_SERVER_DOWN: { 234 1.1 elric LDAP *lp = CTX2LP(context); 235 1.1 elric ldap_unbind(lp); 236 1.1 elric context->ldap_conn = NULL; 237 1.1 elric free(context->base_dn); 238 1.1 elric context->base_dn = NULL; 239 1.1 elric return 1; 240 1.1 elric } 241 1.1 elric default: 242 1.1 elric return 1; 243 1.1 elric } 244 1.1 elric } 245 1.1 elric 246 1.1 elric /* 247 1.1 elric * 248 1.1 elric */ 249 1.1 elric 250 1.1 elric static void 251 1.1 elric laddattr(char ***al, int *attrlen, char *attr) 252 1.1 elric { 253 1.1 elric char **a; 254 1.1 elric a = realloc(*al, (*attrlen + 2) * sizeof(**al)); 255 1.1 elric if (a == NULL) 256 1.1 elric return; 257 1.1 elric a[*attrlen] = attr; 258 1.1 elric a[*attrlen + 1] = NULL; 259 1.1 elric (*attrlen)++; 260 1.1 elric *al = a; 261 1.1 elric } 262 1.1 elric 263 1.1 elric static kadm5_ret_t 264 1.1 elric _kadm5_ad_connect(void *server_handle) 265 1.1 elric { 266 1.1 elric kadm5_ad_context *context = server_handle; 267 1.1 elric struct { 268 1.1 elric char *server; 269 1.1 elric int port; 270 1.1 elric } *s, *servers = NULL; 271 1.1 elric int i, num_servers = 0; 272 1.1 elric 273 1.1 elric if (context->ldap_conn) 274 1.1 elric return 0; 275 1.1 elric 276 1.1 elric { 277 1.1 elric struct dns_reply *r; 278 1.1 elric struct resource_record *rr; 279 1.1 elric char *domain; 280 1.1 elric 281 1.1 elric asprintf(&domain, "_ldap._tcp.%s", context->realm); 282 1.1 elric if (domain == NULL) { 283 1.1 elric krb5_set_error_message(context->context, KADM5_NO_SRV, "malloc"); 284 1.1 elric return KADM5_NO_SRV; 285 1.1 elric } 286 1.1 elric 287 1.1 elric r = dns_lookup(domain, "SRV"); 288 1.1 elric free(domain); 289 1.1 elric if (r == NULL) { 290 1.1 elric krb5_set_error_message(context->context, KADM5_NO_SRV, "Didn't find ldap dns"); 291 1.1 elric return KADM5_NO_SRV; 292 1.3 pettai } 293 1.1 elric 294 1.1 elric for (rr = r->head ; rr != NULL; rr = rr->next) { 295 1.1 elric if (rr->type != rk_ns_t_srv) 296 1.1 elric continue; 297 1.1 elric s = realloc(servers, sizeof(*servers) * (num_servers + 1)); 298 1.1 elric if (s == NULL) { 299 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "malloc"); 300 1.1 elric dns_free_data(r); 301 1.1 elric goto fail; 302 1.1 elric } 303 1.1 elric servers = s; 304 1.1 elric num_servers++; 305 1.1 elric servers[num_servers - 1].port = rr->u.srv->port; 306 1.1 elric servers[num_servers - 1].server = strdup(rr->u.srv->target); 307 1.1 elric } 308 1.1 elric dns_free_data(r); 309 1.1 elric } 310 1.1 elric 311 1.1 elric if (num_servers == 0) { 312 1.1 elric krb5_set_error_message(context->context, KADM5_NO_SRV, "No AD server found in DNS"); 313 1.1 elric return KADM5_NO_SRV; 314 1.1 elric } 315 1.1 elric 316 1.1 elric for (i = 0; i < num_servers; i++) { 317 1.1 elric int lret, version = LDAP_VERSION3; 318 1.1 elric LDAP *lp; 319 1.1 elric 320 1.1 elric lp = ldap_init(servers[i].server, servers[i].port); 321 1.1 elric if (lp == NULL) 322 1.1 elric continue; 323 1.3 pettai 324 1.1 elric if (ldap_set_option(lp, LDAP_OPT_PROTOCOL_VERSION, &version)) { 325 1.1 elric ldap_unbind(lp); 326 1.1 elric continue; 327 1.1 elric } 328 1.3 pettai 329 1.1 elric if (ldap_set_option(lp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) { 330 1.1 elric ldap_unbind(lp); 331 1.1 elric continue; 332 1.1 elric } 333 1.3 pettai 334 1.1 elric #ifdef HAVE_TSASL 335 1.1 elric lret = ldap_tsasl_bind_s(lp, NULL, NULL, NULL, servers[i].server); 336 1.3 pettai 337 1.1 elric #else 338 1.1 elric lret = ldap_sasl_interactive_bind_s(lp, NULL, NULL, NULL, NULL, 339 1.1 elric LDAP_SASL_QUIET, 340 1.1 elric sasl_interact, NULL); 341 1.1 elric #endif 342 1.1 elric if (lret != LDAP_SUCCESS) { 343 1.1 elric krb5_set_error_message(context->context, 0, 344 1.1 elric "Couldn't contact any AD servers: %s", 345 1.1 elric ldap_err2string(lret)); 346 1.1 elric ldap_unbind(lp); 347 1.1 elric continue; 348 1.1 elric } 349 1.1 elric 350 1.1 elric context->ldap_conn = lp; 351 1.1 elric break; 352 1.1 elric } 353 1.1 elric if (i >= num_servers) { 354 1.1 elric goto fail; 355 1.1 elric } 356 1.1 elric 357 1.1 elric { 358 1.1 elric LDAPMessage *m, *m0; 359 1.1 elric char **attr = NULL; 360 1.1 elric int attrlen = 0; 361 1.1 elric char **vals; 362 1.1 elric int ret; 363 1.3 pettai 364 1.1 elric laddattr(&attr, &attrlen, "defaultNamingContext"); 365 1.1 elric 366 1.1 elric ret = ldap_search_s(CTX2LP(context), "", LDAP_SCOPE_BASE, 367 1.1 elric "objectclass=*", attr, 0, &m); 368 1.1 elric free(attr); 369 1.1 elric if (check_ldap(context, ret)) 370 1.1 elric goto fail; 371 1.1 elric 372 1.1 elric if (ldap_count_entries(CTX2LP(context), m) > 0) { 373 1.1 elric m0 = ldap_first_entry(CTX2LP(context), m); 374 1.1 elric if (m0 == NULL) { 375 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, 376 1.1 elric "Error in AD ldap responce"); 377 1.1 elric ldap_msgfree(m); 378 1.1 elric goto fail; 379 1.1 elric } 380 1.1 elric vals = ldap_get_values(CTX2LP(context), 381 1.1 elric m0, "defaultNamingContext"); 382 1.1 elric if (vals == NULL) { 383 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, 384 1.1 elric "No naming context found"); 385 1.1 elric goto fail; 386 1.1 elric } 387 1.1 elric context->base_dn = strdup(vals[0]); 388 1.1 elric } else 389 1.1 elric goto fail; 390 1.1 elric ldap_msgfree(m); 391 1.1 elric } 392 1.1 elric 393 1.1 elric for (i = 0; i < num_servers; i++) 394 1.1 elric free(servers[i].server); 395 1.1 elric free(servers); 396 1.1 elric 397 1.1 elric return 0; 398 1.1 elric 399 1.1 elric fail: 400 1.1 elric for (i = 0; i < num_servers; i++) 401 1.1 elric free(servers[i].server); 402 1.1 elric free(servers); 403 1.1 elric 404 1.1 elric if (context->ldap_conn) { 405 1.1 elric ldap_unbind(CTX2LP(context)); 406 1.1 elric context->ldap_conn = NULL; 407 1.1 elric } 408 1.1 elric return KADM5_RPC_ERROR; 409 1.1 elric } 410 1.1 elric 411 1.1 elric #define NTTIME_EPOCH 0x019DB1DED53E8000LL 412 1.1 elric 413 1.1 elric static time_t 414 1.1 elric nt2unixtime(const char *str) 415 1.1 elric { 416 1.1 elric unsigned long long t; 417 1.1 elric t = strtoll(str, NULL, 10); 418 1.1 elric t = ((t - NTTIME_EPOCH) / (long long)10000000); 419 1.1 elric if (t > (((time_t)(~(long long)0)) >> 1)) 420 1.1 elric return 0; 421 1.1 elric return (time_t)t; 422 1.1 elric } 423 1.1 elric 424 1.1 elric static long long 425 1.1 elric unix2nttime(time_t unix_time) 426 1.1 elric { 427 1.1 elric long long wt; 428 1.1 elric wt = unix_time * (long long)10000000 + (long long)NTTIME_EPOCH; 429 1.1 elric return wt; 430 1.1 elric } 431 1.1 elric 432 1.1 elric /* XXX create filter in a better way */ 433 1.1 elric 434 1.1 elric static int 435 1.1 elric ad_find_entry(kadm5_ad_context *context, 436 1.1 elric const char *fqdn, 437 1.1 elric const char *pn, 438 1.1 elric char **name) 439 1.1 elric { 440 1.1 elric LDAPMessage *m, *m0; 441 1.1 elric char *attr[] = { "distinguishedName", NULL }; 442 1.1 elric char *filter; 443 1.1 elric int ret; 444 1.1 elric 445 1.1 elric if (name) 446 1.1 elric *name = NULL; 447 1.1 elric 448 1.1 elric if (fqdn) 449 1.1 elric asprintf(&filter, 450 1.1 elric "(&(objectClass=computer)(|(dNSHostName=%s)(servicePrincipalName=%s)))", 451 1.1 elric fqdn, pn); 452 1.1 elric else if(pn) 453 1.1 elric asprintf(&filter, "(&(objectClass=account)(userPrincipalName=%s))", pn); 454 1.1 elric else 455 1.1 elric return KADM5_RPC_ERROR; 456 1.1 elric 457 1.1 elric ret = ldap_search_s(CTX2LP(context), CTX2BASE(context), 458 1.1 elric LDAP_SCOPE_SUBTREE, 459 1.1 elric filter, attr, 0, &m); 460 1.1 elric free(filter); 461 1.1 elric if (check_ldap(context, ret)) 462 1.1 elric return KADM5_RPC_ERROR; 463 1.1 elric 464 1.1 elric if (ldap_count_entries(CTX2LP(context), m) > 0) { 465 1.1 elric char **vals; 466 1.1 elric m0 = ldap_first_entry(CTX2LP(context), m); 467 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName"); 468 1.1 elric if (vals == NULL || vals[0] == NULL) { 469 1.1 elric ldap_msgfree(m); 470 1.1 elric return KADM5_RPC_ERROR; 471 1.1 elric } 472 1.1 elric if (name) 473 1.1 elric *name = strdup(vals[0]); 474 1.1 elric ldap_msgfree(m); 475 1.1 elric } else 476 1.1 elric return KADM5_UNK_PRINC; 477 1.1 elric 478 1.1 elric return 0; 479 1.1 elric } 480 1.1 elric 481 1.1 elric #endif /* OPENLDAP */ 482 1.1 elric 483 1.1 elric static kadm5_ret_t 484 1.1 elric ad_get_cred(kadm5_ad_context *context, const char *password) 485 1.1 elric { 486 1.1 elric kadm5_ret_t ret; 487 1.1 elric krb5_ccache cc; 488 1.1 elric char *service; 489 1.1 elric 490 1.1 elric if (context->ccache) 491 1.1 elric return 0; 492 1.1 elric 493 1.1 elric asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME, 494 1.1 elric context->realm, context->realm); 495 1.1 elric if (service == NULL) 496 1.1 elric return ENOMEM; 497 1.1 elric 498 1.1 elric ret = _kadm5_c_get_cred_cache(context->context, 499 1.1 elric context->client_name, 500 1.1 elric service, 501 1.1 elric password, krb5_prompter_posix, 502 1.1 elric NULL, NULL, &cc); 503 1.1 elric free(service); 504 1.1 elric if(ret) 505 1.1 elric return ret; /* XXX */ 506 1.1 elric context->ccache = cc; 507 1.1 elric return 0; 508 1.1 elric } 509 1.1 elric 510 1.1 elric static kadm5_ret_t 511 1.1 elric kadm5_ad_chpass_principal(void *server_handle, 512 1.1 elric krb5_principal principal, 513 1.1 elric const char *password) 514 1.1 elric { 515 1.1 elric kadm5_ad_context *context = server_handle; 516 1.1 elric krb5_data result_code_string, result_string; 517 1.1 elric int result_code; 518 1.1 elric kadm5_ret_t ret; 519 1.1 elric 520 1.1 elric ret = ad_get_cred(context, NULL); 521 1.1 elric if (ret) 522 1.1 elric return ret; 523 1.1 elric 524 1.1 elric krb5_data_zero (&result_code_string); 525 1.1 elric krb5_data_zero (&result_string); 526 1.1 elric 527 1.1 elric ret = krb5_set_password_using_ccache (context->context, 528 1.1 elric context->ccache, 529 1.1 elric password, 530 1.1 elric principal, 531 1.1 elric &result_code, 532 1.1 elric &result_code_string, 533 1.1 elric &result_string); 534 1.1 elric 535 1.1 elric krb5_data_free (&result_code_string); 536 1.1 elric krb5_data_free (&result_string); 537 1.1 elric 538 1.1 elric /* XXX do mapping here on error codes */ 539 1.1 elric 540 1.1 elric return ret; 541 1.1 elric } 542 1.1 elric 543 1.1 elric #ifdef OPENLDAP 544 1.1 elric static const char * 545 1.1 elric get_fqdn(krb5_context context, const krb5_principal p) 546 1.1 elric { 547 1.1 elric const char *s, *hosttypes[] = { "host", "ldap", "gc", "cifs", "dns" }; 548 1.1 elric int i; 549 1.1 elric 550 1.1 elric s = krb5_principal_get_comp_string(context, p, 0); 551 1.1 elric if (p == NULL) 552 1.1 elric return NULL; 553 1.1 elric 554 1.1 elric for (i = 0; i < sizeof(hosttypes)/sizeof(hosttypes[0]); i++) { 555 1.1 elric if (strcasecmp(s, hosttypes[i]) == 0) 556 1.1 elric return krb5_principal_get_comp_string(context, p, 1); 557 1.1 elric } 558 1.1 elric return 0; 559 1.1 elric } 560 1.1 elric #endif 561 1.1 elric 562 1.1 elric 563 1.1 elric static kadm5_ret_t 564 1.1 elric kadm5_ad_create_principal(void *server_handle, 565 1.1 elric kadm5_principal_ent_t entry, 566 1.1 elric uint32_t mask, 567 1.1 elric const char *password) 568 1.1 elric { 569 1.1 elric kadm5_ad_context *context = server_handle; 570 1.1 elric 571 1.1 elric /* 572 1.1 elric * KADM5_PRINC_EXPIRE_TIME 573 1.1 elric * 574 1.1 elric * return 0 || KADM5_DUP; 575 1.1 elric */ 576 1.1 elric 577 1.1 elric #ifdef OPENLDAP 578 1.1 elric LDAPMod *attrs[8], rattrs[7], *a; 579 1.1 elric char *useraccvals[2] = { NULL, NULL }, 580 1.1 elric *samvals[2], *dnsvals[2], *spnvals[5], *upnvals[2], *tv[2]; 581 1.1 elric char *ocvals_spn[] = { "top", "person", "organizationalPerson", 582 1.1 elric "user", "computer", NULL}; 583 1.1 elric char *p, *realmless_p, *p_msrealm = NULL, *dn = NULL; 584 1.1 elric const char *fqdn; 585 1.1 elric char *s, *samname = NULL, *short_spn = NULL; 586 1.1 elric int ret, i; 587 1.1 elric int32_t uf_flags = 0; 588 1.1 elric 589 1.1 elric if ((mask & KADM5_PRINCIPAL) == 0) 590 1.1 elric return KADM5_BAD_MASK; 591 1.1 elric 592 1.1 elric for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++) 593 1.1 elric attrs[i] = &rattrs[i]; 594 1.1 elric attrs[i] = NULL; 595 1.1 elric 596 1.1 elric ret = ad_get_cred(context, NULL); 597 1.1 elric if (ret) 598 1.1 elric return ret; 599 1.1 elric 600 1.1 elric ret = _kadm5_ad_connect(server_handle); 601 1.1 elric if (ret) 602 1.1 elric return ret; 603 1.1 elric 604 1.1 elric fqdn = get_fqdn(context->context, entry->principal); 605 1.1 elric 606 1.1 elric ret = krb5_unparse_name(context->context, entry->principal, &p); 607 1.1 elric if (ret) 608 1.1 elric return ret; 609 1.1 elric 610 1.1 elric if (ad_find_entry(context, fqdn, p, NULL) == 0) { 611 1.1 elric free(p); 612 1.1 elric return KADM5_DUP; 613 1.1 elric } 614 1.1 elric 615 1.1 elric if (mask & KADM5_ATTRIBUTES) { 616 1.1 elric if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) 617 1.1 elric uf_flags |= UF_ACCOUNTDISABLE|UF_LOCKOUT; 618 1.1 elric if ((entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) == 0) 619 1.1 elric uf_flags |= UF_DONT_REQUIRE_PREAUTH; 620 1.1 elric if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH) 621 1.1 elric uf_flags |= UF_SMARTCARD_REQUIRED; 622 1.1 elric } 623 1.1 elric 624 1.1 elric realmless_p = strdup(p); 625 1.1 elric if (realmless_p == NULL) { 626 1.1 elric ret = ENOMEM; 627 1.1 elric goto out; 628 1.1 elric } 629 1.1 elric s = strrchr(realmless_p, '@'); 630 1.1 elric if (s) 631 1.1 elric *s = '\0'; 632 1.1 elric 633 1.1 elric if (fqdn) { 634 1.1 elric /* create computer account */ 635 1.1 elric asprintf(&samname, "%s$", fqdn); 636 1.1 elric if (samname == NULL) { 637 1.1 elric ret = ENOMEM; 638 1.1 elric goto out; 639 1.1 elric } 640 1.1 elric s = strchr(samname, '.'); 641 1.1 elric if (s) { 642 1.1 elric s[0] = '$'; 643 1.1 elric s[1] = '\0'; 644 1.1 elric } 645 1.3 pettai 646 1.1 elric short_spn = strdup(p); 647 1.1 elric if (short_spn == NULL) { 648 1.1 elric errno = ENOMEM; 649 1.1 elric goto out; 650 1.1 elric } 651 1.1 elric s = strchr(short_spn, '.'); 652 1.1 elric if (s) { 653 1.1 elric *s = '\0'; 654 1.1 elric } else { 655 1.1 elric free(short_spn); 656 1.1 elric short_spn = NULL; 657 1.1 elric } 658 1.1 elric 659 1.1 elric p_msrealm = strdup(p); 660 1.1 elric if (p_msrealm == NULL) { 661 1.1 elric errno = ENOMEM; 662 1.1 elric goto out; 663 1.1 elric } 664 1.1 elric s = strrchr(p_msrealm, '@'); 665 1.1 elric if (s) { 666 1.1 elric *s = '/'; 667 1.1 elric } else { 668 1.1 elric free(p_msrealm); 669 1.1 elric p_msrealm = NULL; 670 1.1 elric } 671 1.1 elric 672 1.1 elric asprintf(&dn, "cn=%s, cn=Computers, %s", fqdn, CTX2BASE(context)); 673 1.1 elric if (dn == NULL) { 674 1.1 elric ret = ENOMEM; 675 1.1 elric goto out; 676 1.1 elric } 677 1.1 elric 678 1.1 elric a = &rattrs[0]; 679 1.1 elric a->mod_op = LDAP_MOD_ADD; 680 1.1 elric a->mod_type = "objectClass"; 681 1.1 elric a->mod_values = ocvals_spn; 682 1.1 elric a++; 683 1.1 elric 684 1.1 elric a->mod_op = LDAP_MOD_ADD; 685 1.1 elric a->mod_type = "userAccountControl"; 686 1.1 elric a->mod_values = useraccvals; 687 1.1 elric asprintf(&useraccvals[0], "%d", 688 1.1 elric uf_flags | 689 1.1 elric UF_PASSWD_NOT_EXPIRE | 690 1.1 elric UF_WORKSTATION_TRUST_ACCOUNT); 691 1.1 elric useraccvals[1] = NULL; 692 1.1 elric a++; 693 1.1 elric 694 1.1 elric a->mod_op = LDAP_MOD_ADD; 695 1.1 elric a->mod_type = "sAMAccountName"; 696 1.1 elric a->mod_values = samvals; 697 1.1 elric samvals[0] = samname; 698 1.1 elric samvals[1] = NULL; 699 1.1 elric a++; 700 1.1 elric 701 1.1 elric a->mod_op = LDAP_MOD_ADD; 702 1.1 elric a->mod_type = "dNSHostName"; 703 1.1 elric a->mod_values = dnsvals; 704 1.1 elric dnsvals[0] = (char *)fqdn; 705 1.1 elric dnsvals[1] = NULL; 706 1.1 elric a++; 707 1.1 elric 708 1.1 elric /* XXX add even more spn's */ 709 1.1 elric a->mod_op = LDAP_MOD_ADD; 710 1.1 elric a->mod_type = "servicePrincipalName"; 711 1.1 elric a->mod_values = spnvals; 712 1.1 elric i = 0; 713 1.1 elric spnvals[i++] = p; 714 1.1 elric spnvals[i++] = realmless_p; 715 1.1 elric if (short_spn) 716 1.1 elric spnvals[i++] = short_spn; 717 1.1 elric if (p_msrealm) 718 1.1 elric spnvals[i++] = p_msrealm; 719 1.1 elric spnvals[i++] = NULL; 720 1.1 elric a++; 721 1.1 elric 722 1.1 elric a->mod_op = LDAP_MOD_ADD; 723 1.1 elric a->mod_type = "userPrincipalName"; 724 1.1 elric a->mod_values = upnvals; 725 1.1 elric upnvals[0] = p; 726 1.1 elric upnvals[1] = NULL; 727 1.1 elric a++; 728 1.1 elric 729 1.1 elric a->mod_op = LDAP_MOD_ADD; 730 1.1 elric a->mod_type = "accountExpires"; 731 1.1 elric a->mod_values = tv; 732 1.1 elric tv[0] = "9223372036854775807"; /* "never" */ 733 1.1 elric tv[1] = NULL; 734 1.1 elric a++; 735 1.1 elric 736 1.1 elric } else { 737 1.1 elric /* create user account */ 738 1.3 pettai 739 1.1 elric a = &rattrs[0]; 740 1.1 elric a->mod_op = LDAP_MOD_ADD; 741 1.1 elric a->mod_type = "userAccountControl"; 742 1.1 elric a->mod_values = useraccvals; 743 1.1 elric asprintf(&useraccvals[0], "%d", 744 1.1 elric uf_flags | 745 1.1 elric UF_PASSWD_NOT_EXPIRE); 746 1.1 elric useraccvals[1] = NULL; 747 1.1 elric a++; 748 1.1 elric 749 1.1 elric a->mod_op = LDAP_MOD_ADD; 750 1.1 elric a->mod_type = "sAMAccountName"; 751 1.1 elric a->mod_values = samvals; 752 1.1 elric samvals[0] = realmless_p; 753 1.1 elric samvals[1] = NULL; 754 1.1 elric a++; 755 1.1 elric 756 1.1 elric a->mod_op = LDAP_MOD_ADD; 757 1.1 elric a->mod_type = "userPrincipalName"; 758 1.1 elric a->mod_values = upnvals; 759 1.1 elric upnvals[0] = p; 760 1.1 elric upnvals[1] = NULL; 761 1.1 elric a++; 762 1.1 elric 763 1.1 elric a->mod_op = LDAP_MOD_ADD; 764 1.1 elric a->mod_type = "accountExpires"; 765 1.1 elric a->mod_values = tv; 766 1.1 elric tv[0] = "9223372036854775807"; /* "never" */ 767 1.1 elric tv[1] = NULL; 768 1.1 elric a++; 769 1.1 elric } 770 1.1 elric 771 1.1 elric attrs[a - &rattrs[0]] = NULL; 772 1.1 elric 773 1.1 elric ret = ldap_add_s(CTX2LP(context), dn, attrs); 774 1.1 elric 775 1.1 elric out: 776 1.1 elric if (useraccvals[0]) 777 1.1 elric free(useraccvals[0]); 778 1.1 elric if (realmless_p) 779 1.1 elric free(realmless_p); 780 1.1 elric if (samname) 781 1.1 elric free(samname); 782 1.1 elric if (short_spn) 783 1.1 elric free(short_spn); 784 1.1 elric if (p_msrealm) 785 1.1 elric free(p_msrealm); 786 1.1 elric free(p); 787 1.1 elric 788 1.1 elric if (check_ldap(context, ret)) 789 1.1 elric return KADM5_RPC_ERROR; 790 1.1 elric 791 1.1 elric return 0; 792 1.1 elric #else 793 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 794 1.1 elric return KADM5_RPC_ERROR; 795 1.1 elric #endif 796 1.1 elric } 797 1.1 elric 798 1.1 elric static kadm5_ret_t 799 1.1 elric kadm5_ad_delete_principal(void *server_handle, krb5_principal principal) 800 1.1 elric { 801 1.1 elric kadm5_ad_context *context = server_handle; 802 1.1 elric #ifdef OPENLDAP 803 1.1 elric char *p, *dn = NULL; 804 1.1 elric const char *fqdn; 805 1.1 elric int ret; 806 1.1 elric 807 1.1 elric ret = ad_get_cred(context, NULL); 808 1.1 elric if (ret) 809 1.1 elric return ret; 810 1.1 elric 811 1.1 elric ret = _kadm5_ad_connect(server_handle); 812 1.1 elric if (ret) 813 1.1 elric return ret; 814 1.1 elric 815 1.1 elric fqdn = get_fqdn(context->context, principal); 816 1.1 elric 817 1.1 elric ret = krb5_unparse_name(context->context, principal, &p); 818 1.1 elric if (ret) 819 1.1 elric return ret; 820 1.1 elric 821 1.1 elric if (ad_find_entry(context, fqdn, p, &dn) != 0) { 822 1.1 elric free(p); 823 1.1 elric return KADM5_UNK_PRINC; 824 1.1 elric } 825 1.1 elric 826 1.1 elric ret = ldap_delete_s(CTX2LP(context), dn); 827 1.1 elric 828 1.1 elric free(dn); 829 1.1 elric free(p); 830 1.1 elric 831 1.1 elric if (check_ldap(context, ret)) 832 1.1 elric return KADM5_RPC_ERROR; 833 1.1 elric return 0; 834 1.1 elric #else 835 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 836 1.1 elric return KADM5_RPC_ERROR; 837 1.1 elric #endif 838 1.1 elric } 839 1.1 elric 840 1.1 elric static kadm5_ret_t 841 1.1 elric kadm5_ad_destroy(void *server_handle) 842 1.1 elric { 843 1.1 elric kadm5_ad_context *context = server_handle; 844 1.1 elric 845 1.1 elric if (context->ccache) 846 1.1 elric krb5_cc_destroy(context->context, context->ccache); 847 1.1 elric 848 1.1 elric #ifdef OPENLDAP 849 1.1 elric { 850 1.1 elric LDAP *lp = CTX2LP(context); 851 1.1 elric if (lp) 852 1.1 elric ldap_unbind(lp); 853 1.1 elric if (context->base_dn) 854 1.1 elric free(context->base_dn); 855 1.1 elric } 856 1.1 elric #endif 857 1.1 elric free(context->realm); 858 1.1 elric free(context->client_name); 859 1.1 elric krb5_free_principal(context->context, context->caller); 860 1.1 elric if(context->my_context) 861 1.1 elric krb5_free_context(context->context); 862 1.1 elric return 0; 863 1.1 elric } 864 1.1 elric 865 1.1 elric static kadm5_ret_t 866 1.1 elric kadm5_ad_flush(void *server_handle) 867 1.1 elric { 868 1.1 elric kadm5_ad_context *context = server_handle; 869 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 870 1.1 elric return KADM5_RPC_ERROR; 871 1.1 elric } 872 1.1 elric 873 1.1 elric static kadm5_ret_t 874 1.1 elric kadm5_ad_get_principal(void *server_handle, 875 1.1 elric krb5_principal principal, 876 1.1 elric kadm5_principal_ent_t entry, 877 1.1 elric uint32_t mask) 878 1.1 elric { 879 1.1 elric kadm5_ad_context *context = server_handle; 880 1.1 elric #ifdef OPENLDAP 881 1.1 elric LDAPMessage *m, *m0; 882 1.1 elric char **attr = NULL; 883 1.1 elric int attrlen = 0; 884 1.1 elric char *filter, *p, *q, *u; 885 1.1 elric int ret; 886 1.1 elric 887 1.1 elric /* 888 1.1 elric * principal 889 1.1 elric * KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES 890 1.1 elric */ 891 1.1 elric 892 1.1 elric /* 893 1.1 elric * return 0 || KADM5_DUP; 894 1.1 elric */ 895 1.1 elric 896 1.1 elric memset(entry, 0, sizeof(*entry)); 897 1.1 elric 898 1.1 elric if (mask & KADM5_KVNO) 899 1.1 elric laddattr(&attr, &attrlen, "msDS-KeyVersionNumber"); 900 1.1 elric 901 1.1 elric if (mask & KADM5_PRINCIPAL) { 902 1.1 elric laddattr(&attr, &attrlen, "userPrincipalName"); 903 1.1 elric laddattr(&attr, &attrlen, "servicePrincipalName"); 904 1.1 elric } 905 1.1 elric laddattr(&attr, &attrlen, "objectClass"); 906 1.1 elric laddattr(&attr, &attrlen, "lastLogon"); 907 1.1 elric laddattr(&attr, &attrlen, "badPwdCount"); 908 1.1 elric laddattr(&attr, &attrlen, "badPasswordTime"); 909 1.1 elric laddattr(&attr, &attrlen, "pwdLastSet"); 910 1.1 elric laddattr(&attr, &attrlen, "accountExpires"); 911 1.1 elric laddattr(&attr, &attrlen, "userAccountControl"); 912 1.1 elric 913 1.1 elric krb5_unparse_name_short(context->context, principal, &p); 914 1.1 elric krb5_unparse_name(context->context, principal, &u); 915 1.1 elric 916 1.1 elric /* replace @ in domain part with a / */ 917 1.1 elric q = strrchr(p, '@'); 918 1.1 elric if (q && (p != q && *(q - 1) != '\\')) 919 1.1 elric *q = '/'; 920 1.1 elric 921 1.1 elric asprintf(&filter, 922 1.1 elric "(|(userPrincipalName=%s)(servicePrincipalName=%s)(servicePrincipalName=%s))", 923 1.1 elric u, p, u); 924 1.1 elric free(p); 925 1.1 elric free(u); 926 1.1 elric 927 1.1 elric ret = ldap_search_s(CTX2LP(context), CTX2BASE(context), 928 1.1 elric LDAP_SCOPE_SUBTREE, 929 1.1 elric filter, attr, 0, &m); 930 1.1 elric free(attr); 931 1.1 elric if (check_ldap(context, ret)) 932 1.1 elric return KADM5_RPC_ERROR; 933 1.1 elric 934 1.1 elric if (ldap_count_entries(CTX2LP(context), m) > 0) { 935 1.1 elric char **vals; 936 1.1 elric m0 = ldap_first_entry(CTX2LP(context), m); 937 1.1 elric if (m0 == NULL) { 938 1.1 elric ldap_msgfree(m); 939 1.1 elric goto fail; 940 1.1 elric } 941 1.1 elric #if 0 942 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "servicePrincipalName"); 943 1.1 elric if (vals) 944 1.1 elric printf("servicePrincipalName %s\n", vals[0]); 945 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "userPrincipalName"); 946 1.1 elric if (vals) 947 1.1 elric printf("userPrincipalName %s\n", vals[0]); 948 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl"); 949 1.1 elric if (vals) 950 1.1 elric printf("userAccountControl %s\n", vals[0]); 951 1.1 elric #endif 952 1.1 elric entry->princ_expire_time = 0; 953 1.1 elric if (mask & KADM5_PRINC_EXPIRE_TIME) { 954 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "accountExpires"); 955 1.1 elric if (vals) 956 1.1 elric entry->princ_expire_time = nt2unixtime(vals[0]); 957 1.1 elric } 958 1.1 elric entry->last_success = 0; 959 1.1 elric if (mask & KADM5_LAST_SUCCESS) { 960 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "lastLogon"); 961 1.1 elric if (vals) 962 1.1 elric entry->last_success = nt2unixtime(vals[0]); 963 1.1 elric } 964 1.1 elric if (mask & KADM5_LAST_FAILED) { 965 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "badPasswordTime"); 966 1.1 elric if (vals) 967 1.1 elric entry->last_failed = nt2unixtime(vals[0]); 968 1.1 elric } 969 1.1 elric if (mask & KADM5_LAST_PWD_CHANGE) { 970 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "pwdLastSet"); 971 1.1 elric if (vals) 972 1.1 elric entry->last_pwd_change = nt2unixtime(vals[0]); 973 1.1 elric } 974 1.1 elric if (mask & KADM5_FAIL_AUTH_COUNT) { 975 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "badPwdCount"); 976 1.1 elric if (vals) 977 1.1 elric entry->fail_auth_count = atoi(vals[0]); 978 1.1 elric } 979 1.1 elric if (mask & KADM5_ATTRIBUTES) { 980 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl"); 981 1.1 elric if (vals) { 982 1.1 elric uint32_t i; 983 1.1 elric i = atoi(vals[0]); 984 1.1 elric if (i & (UF_ACCOUNTDISABLE|UF_LOCKOUT)) 985 1.1 elric entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; 986 1.1 elric if ((i & UF_DONT_REQUIRE_PREAUTH) == 0) 987 1.1 elric entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH; 988 1.1 elric if (i & UF_SMARTCARD_REQUIRED) 989 1.1 elric entry->attributes |= KRB5_KDB_REQUIRES_HW_AUTH; 990 1.1 elric if ((i & UF_WORKSTATION_TRUST_ACCOUNT) == 0) 991 1.1 elric entry->attributes |= KRB5_KDB_DISALLOW_SVR; 992 1.1 elric } 993 1.1 elric } 994 1.1 elric if (mask & KADM5_KVNO) { 995 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, 996 1.1 elric "msDS-KeyVersionNumber"); 997 1.1 elric if (vals) 998 1.1 elric entry->kvno = atoi(vals[0]); 999 1.1 elric else 1000 1.1 elric entry->kvno = 0; 1001 1.1 elric } 1002 1.1 elric ldap_msgfree(m); 1003 1.1 elric } else { 1004 1.1 elric return KADM5_UNK_PRINC; 1005 1.1 elric } 1006 1.1 elric 1007 1.1 elric if (mask & KADM5_PRINCIPAL) 1008 1.1 elric krb5_copy_principal(context->context, principal, &entry->principal); 1009 1.1 elric 1010 1.1 elric return 0; 1011 1.1 elric fail: 1012 1.1 elric return KADM5_RPC_ERROR; 1013 1.1 elric #else 1014 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1015 1.1 elric return KADM5_RPC_ERROR; 1016 1.1 elric #endif 1017 1.1 elric } 1018 1.1 elric 1019 1.1 elric static kadm5_ret_t 1020 1.1 elric kadm5_ad_get_principals(void *server_handle, 1021 1.1 elric const char *expression, 1022 1.1 elric char ***principals, 1023 1.1 elric int *count) 1024 1.1 elric { 1025 1.1 elric kadm5_ad_context *context = server_handle; 1026 1.1 elric 1027 1.1 elric /* 1028 1.1 elric * KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES 1029 1.1 elric */ 1030 1.1 elric 1031 1.1 elric #ifdef OPENLDAP 1032 1.1 elric kadm5_ret_t ret; 1033 1.1 elric 1034 1.1 elric ret = ad_get_cred(context, NULL); 1035 1.1 elric if (ret) 1036 1.1 elric return ret; 1037 1.1 elric 1038 1.1 elric ret = _kadm5_ad_connect(server_handle); 1039 1.1 elric if (ret) 1040 1.1 elric return ret; 1041 1.1 elric 1042 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1043 1.1 elric return KADM5_RPC_ERROR; 1044 1.1 elric #else 1045 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1046 1.1 elric return KADM5_RPC_ERROR; 1047 1.1 elric #endif 1048 1.1 elric } 1049 1.1 elric 1050 1.1 elric static kadm5_ret_t 1051 1.1 elric kadm5_ad_get_privs(void *server_handle, uint32_t*privs) 1052 1.1 elric { 1053 1.1 elric kadm5_ad_context *context = server_handle; 1054 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1055 1.1 elric return KADM5_RPC_ERROR; 1056 1.1 elric } 1057 1.1 elric 1058 1.1 elric static kadm5_ret_t 1059 1.1 elric kadm5_ad_modify_principal(void *server_handle, 1060 1.1 elric kadm5_principal_ent_t entry, 1061 1.1 elric uint32_t mask) 1062 1.1 elric { 1063 1.1 elric kadm5_ad_context *context = server_handle; 1064 1.1 elric 1065 1.1 elric /* 1066 1.1 elric * KADM5_ATTRIBUTES 1067 1.1 elric * KRB5_KDB_DISALLOW_ALL_TIX (| KADM5_KVNO) 1068 1.1 elric */ 1069 1.1 elric 1070 1.1 elric #ifdef OPENLDAP 1071 1.1 elric LDAPMessage *m = NULL, *m0; 1072 1.1 elric kadm5_ret_t ret; 1073 1.1 elric char **attr = NULL; 1074 1.1 elric int attrlen = 0; 1075 1.1 elric char *p = NULL, *s = NULL, *q; 1076 1.1 elric char **vals; 1077 1.1 elric LDAPMod *attrs[4], rattrs[3], *a; 1078 1.1 elric char *uaf[2] = { NULL, NULL }; 1079 1.1 elric char *kvno[2] = { NULL, NULL }; 1080 1.1 elric char *tv[2] = { NULL, NULL }; 1081 1.1 elric char *filter, *dn; 1082 1.1 elric int i; 1083 1.1 elric 1084 1.1 elric for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++) 1085 1.1 elric attrs[i] = &rattrs[i]; 1086 1.1 elric attrs[i] = NULL; 1087 1.1 elric a = &rattrs[0]; 1088 1.1 elric 1089 1.1 elric ret = _kadm5_ad_connect(server_handle); 1090 1.1 elric if (ret) 1091 1.1 elric return ret; 1092 1.1 elric 1093 1.1 elric if (mask & KADM5_KVNO) 1094 1.1 elric laddattr(&attr, &attrlen, "msDS-KeyVersionNumber"); 1095 1.1 elric if (mask & KADM5_PRINC_EXPIRE_TIME) 1096 1.1 elric laddattr(&attr, &attrlen, "accountExpires"); 1097 1.1 elric if (mask & KADM5_ATTRIBUTES) 1098 1.1 elric laddattr(&attr, &attrlen, "userAccountControl"); 1099 1.1 elric laddattr(&attr, &attrlen, "distinguishedName"); 1100 1.1 elric 1101 1.1 elric krb5_unparse_name(context->context, entry->principal, &p); 1102 1.1 elric 1103 1.1 elric s = strdup(p); 1104 1.1 elric 1105 1.1 elric q = strrchr(s, '@'); 1106 1.1 elric if (q && (p != q && *(q - 1) != '\\')) 1107 1.1 elric *q = '\0'; 1108 1.1 elric 1109 1.1 elric asprintf(&filter, 1110 1.1 elric "(|(userPrincipalName=%s)(servicePrincipalName=%s))", 1111 1.1 elric s, s); 1112 1.1 elric free(p); 1113 1.1 elric free(s); 1114 1.1 elric 1115 1.1 elric ret = ldap_search_s(CTX2LP(context), CTX2BASE(context), 1116 1.1 elric LDAP_SCOPE_SUBTREE, 1117 1.1 elric filter, attr, 0, &m); 1118 1.1 elric free(attr); 1119 1.1 elric free(filter); 1120 1.1 elric if (check_ldap(context, ret)) 1121 1.1 elric return KADM5_RPC_ERROR; 1122 1.1 elric 1123 1.1 elric if (ldap_count_entries(CTX2LP(context), m) <= 0) { 1124 1.1 elric ret = KADM5_RPC_ERROR; 1125 1.1 elric goto out; 1126 1.1 elric } 1127 1.1 elric 1128 1.1 elric m0 = ldap_first_entry(CTX2LP(context), m); 1129 1.1 elric 1130 1.1 elric if (mask & KADM5_ATTRIBUTES) { 1131 1.1 elric int32_t i; 1132 1.1 elric 1133 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl"); 1134 1.1 elric if (vals == NULL) { 1135 1.1 elric ret = KADM5_RPC_ERROR; 1136 1.1 elric goto out; 1137 1.1 elric } 1138 1.1 elric 1139 1.1 elric i = atoi(vals[0]); 1140 1.1 elric if (i == 0) 1141 1.1 elric return KADM5_RPC_ERROR; 1142 1.1 elric 1143 1.1 elric if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) 1144 1.1 elric i |= (UF_ACCOUNTDISABLE|UF_LOCKOUT); 1145 1.1 elric else 1146 1.1 elric i &= ~(UF_ACCOUNTDISABLE|UF_LOCKOUT); 1147 1.1 elric if (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) 1148 1.1 elric i &= ~UF_DONT_REQUIRE_PREAUTH; 1149 1.1 elric else 1150 1.1 elric i |= UF_DONT_REQUIRE_PREAUTH; 1151 1.1 elric if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH) 1152 1.1 elric i |= UF_SMARTCARD_REQUIRED; 1153 1.1 elric else 1154 1.1 elric i &= UF_SMARTCARD_REQUIRED; 1155 1.1 elric if (entry->attributes & KRB5_KDB_DISALLOW_SVR) 1156 1.1 elric i &= ~UF_WORKSTATION_TRUST_ACCOUNT; 1157 1.1 elric else 1158 1.1 elric i |= UF_WORKSTATION_TRUST_ACCOUNT; 1159 1.1 elric 1160 1.1 elric asprintf(&uaf[0], "%d", i); 1161 1.1 elric 1162 1.1 elric a->mod_op = LDAP_MOD_REPLACE; 1163 1.1 elric a->mod_type = "userAccountControl"; 1164 1.1 elric a->mod_values = uaf; 1165 1.1 elric a++; 1166 1.1 elric } 1167 1.1 elric 1168 1.1 elric if (mask & KADM5_KVNO) { 1169 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "msDS-KeyVersionNumber"); 1170 1.1 elric if (vals == NULL) { 1171 1.1 elric entry->kvno = 0; 1172 1.1 elric } else { 1173 1.1 elric asprintf(&kvno[0], "%d", entry->kvno); 1174 1.1 elric 1175 1.1 elric a->mod_op = LDAP_MOD_REPLACE; 1176 1.1 elric a->mod_type = "msDS-KeyVersionNumber"; 1177 1.1 elric a->mod_values = kvno; 1178 1.1 elric a++; 1179 1.1 elric } 1180 1.1 elric } 1181 1.1 elric 1182 1.1 elric if (mask & KADM5_PRINC_EXPIRE_TIME) { 1183 1.1 elric long long wt; 1184 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "accountExpires"); 1185 1.1 elric if (vals == NULL) { 1186 1.1 elric ret = KADM5_RPC_ERROR; 1187 1.1 elric goto out; 1188 1.1 elric } 1189 1.1 elric 1190 1.1 elric wt = unix2nttime(entry->princ_expire_time); 1191 1.1 elric 1192 1.1 elric asprintf(&tv[0], "%llu", wt); 1193 1.1 elric 1194 1.1 elric a->mod_op = LDAP_MOD_REPLACE; 1195 1.1 elric a->mod_type = "accountExpires"; 1196 1.1 elric a->mod_values = tv; 1197 1.1 elric a++; 1198 1.1 elric } 1199 1.1 elric 1200 1.1 elric vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName"); 1201 1.1 elric if (vals == NULL) { 1202 1.1 elric ret = KADM5_RPC_ERROR; 1203 1.1 elric goto out; 1204 1.1 elric } 1205 1.1 elric dn = vals[0]; 1206 1.1 elric 1207 1.1 elric attrs[a - &rattrs[0]] = NULL; 1208 1.1 elric 1209 1.1 elric ret = ldap_modify_s(CTX2LP(context), dn, attrs); 1210 1.1 elric if (check_ldap(context, ret)) 1211 1.1 elric return KADM5_RPC_ERROR; 1212 1.1 elric 1213 1.1 elric out: 1214 1.1 elric if (m) 1215 1.1 elric ldap_msgfree(m); 1216 1.1 elric if (uaf[0]) 1217 1.1 elric free(uaf[0]); 1218 1.1 elric if (kvno[0]) 1219 1.1 elric free(kvno[0]); 1220 1.1 elric if (tv[0]) 1221 1.1 elric free(tv[0]); 1222 1.1 elric return ret; 1223 1.1 elric #else 1224 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1225 1.1 elric return KADM5_RPC_ERROR; 1226 1.1 elric #endif 1227 1.1 elric } 1228 1.1 elric 1229 1.1 elric static kadm5_ret_t 1230 1.1 elric kadm5_ad_randkey_principal(void *server_handle, 1231 1.1 elric krb5_principal principal, 1232 1.1 elric krb5_keyblock **keys, 1233 1.1 elric int *n_keys) 1234 1.1 elric { 1235 1.1 elric kadm5_ad_context *context = server_handle; 1236 1.1 elric 1237 1.1 elric /* 1238 1.1 elric * random key 1239 1.1 elric */ 1240 1.1 elric 1241 1.1 elric #ifdef OPENLDAP 1242 1.1 elric krb5_data result_code_string, result_string; 1243 1.1 elric int result_code, plen; 1244 1.1 elric kadm5_ret_t ret; 1245 1.1 elric char *password; 1246 1.1 elric 1247 1.1 elric *keys = NULL; 1248 1.1 elric *n_keys = 0; 1249 1.1 elric 1250 1.1 elric { 1251 1.1 elric char p[64]; 1252 1.1 elric krb5_generate_random_block(p, sizeof(p)); 1253 1.1 elric plen = base64_encode(p, sizeof(p), &password); 1254 1.1 elric if (plen < 0) 1255 1.1 elric return ENOMEM; 1256 1.1 elric } 1257 1.1 elric 1258 1.1 elric ret = ad_get_cred(context, NULL); 1259 1.1 elric if (ret) { 1260 1.1 elric free(password); 1261 1.1 elric return ret; 1262 1.1 elric } 1263 1.1 elric 1264 1.1 elric krb5_data_zero (&result_code_string); 1265 1.1 elric krb5_data_zero (&result_string); 1266 1.1 elric 1267 1.1 elric ret = krb5_set_password_using_ccache (context->context, 1268 1.1 elric context->ccache, 1269 1.1 elric password, 1270 1.1 elric principal, 1271 1.1 elric &result_code, 1272 1.1 elric &result_code_string, 1273 1.1 elric &result_string); 1274 1.1 elric 1275 1.1 elric krb5_data_free (&result_code_string); 1276 1.1 elric krb5_data_free (&result_string); 1277 1.1 elric 1278 1.1 elric if (ret == 0) { 1279 1.1 elric 1280 1.1 elric *keys = malloc(sizeof(**keys) * 1); 1281 1.1 elric if (*keys == NULL) { 1282 1.1 elric ret = ENOMEM; 1283 1.1 elric goto out; 1284 1.1 elric } 1285 1.1 elric *n_keys = 1; 1286 1.1 elric 1287 1.1 elric ret = krb5_string_to_key(context->context, 1288 1.1 elric ENCTYPE_ARCFOUR_HMAC_MD5, 1289 1.1 elric password, 1290 1.1 elric principal, 1291 1.1 elric &(*keys)[0]); 1292 1.2 apb memset(password, 0, plen); 1293 1.1 elric if (ret) { 1294 1.1 elric free(*keys); 1295 1.1 elric *keys = NULL; 1296 1.1 elric *n_keys = 0; 1297 1.1 elric goto out; 1298 1.1 elric } 1299 1.1 elric } 1300 1.1 elric memset(password, 0, plen); 1301 1.1 elric free(password); 1302 1.1 elric out: 1303 1.1 elric return ret; 1304 1.1 elric #else 1305 1.1 elric *keys = NULL; 1306 1.1 elric *n_keys = 0; 1307 1.1 elric 1308 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1309 1.1 elric return KADM5_RPC_ERROR; 1310 1.1 elric #endif 1311 1.1 elric } 1312 1.1 elric 1313 1.1 elric static kadm5_ret_t 1314 1.1 elric kadm5_ad_rename_principal(void *server_handle, 1315 1.1 elric krb5_principal from, 1316 1.1 elric krb5_principal to) 1317 1.1 elric { 1318 1.1 elric kadm5_ad_context *context = server_handle; 1319 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1320 1.1 elric return KADM5_RPC_ERROR; 1321 1.1 elric } 1322 1.1 elric 1323 1.1 elric static kadm5_ret_t 1324 1.1 elric kadm5_ad_chpass_principal_with_key(void *server_handle, 1325 1.1 elric krb5_principal princ, 1326 1.1 elric int n_key_data, 1327 1.1 elric krb5_key_data *key_data) 1328 1.1 elric { 1329 1.1 elric kadm5_ad_context *context = server_handle; 1330 1.1 elric krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1331 1.1 elric return KADM5_RPC_ERROR; 1332 1.1 elric } 1333 1.1 elric 1334 1.1 elric static void 1335 1.1 elric set_funcs(kadm5_ad_context *c) 1336 1.1 elric { 1337 1.1 elric #define SET(C, F) (C)->funcs.F = kadm5_ad_ ## F 1338 1.1 elric SET(c, chpass_principal); 1339 1.1 elric SET(c, chpass_principal_with_key); 1340 1.1 elric SET(c, create_principal); 1341 1.1 elric SET(c, delete_principal); 1342 1.1 elric SET(c, destroy); 1343 1.1 elric SET(c, flush); 1344 1.1 elric SET(c, get_principal); 1345 1.1 elric SET(c, get_principals); 1346 1.1 elric SET(c, get_privs); 1347 1.1 elric SET(c, modify_principal); 1348 1.1 elric SET(c, randkey_principal); 1349 1.1 elric SET(c, rename_principal); 1350 1.1 elric } 1351 1.1 elric 1352 1.1 elric kadm5_ret_t 1353 1.1 elric kadm5_ad_init_with_password_ctx(krb5_context context, 1354 1.1 elric const char *client_name, 1355 1.1 elric const char *password, 1356 1.1 elric const char *service_name, 1357 1.1 elric kadm5_config_params *realm_params, 1358 1.1 elric unsigned long struct_version, 1359 1.1 elric unsigned long api_version, 1360 1.1 elric void **server_handle) 1361 1.1 elric { 1362 1.1 elric kadm5_ret_t ret; 1363 1.1 elric kadm5_ad_context *ctx; 1364 1.1 elric 1365 1.1 elric ctx = malloc(sizeof(*ctx)); 1366 1.1 elric if(ctx == NULL) 1367 1.1 elric return ENOMEM; 1368 1.1 elric memset(ctx, 0, sizeof(*ctx)); 1369 1.1 elric set_funcs(ctx); 1370 1.1 elric 1371 1.1 elric ctx->context = context; 1372 1.1 elric krb5_add_et_list (context, initialize_kadm5_error_table_r); 1373 1.1 elric 1374 1.1 elric ret = krb5_parse_name(ctx->context, client_name, &ctx->caller); 1375 1.1 elric if(ret) { 1376 1.1 elric free(ctx); 1377 1.1 elric return ret; 1378 1.1 elric } 1379 1.1 elric 1380 1.1 elric if(realm_params->mask & KADM5_CONFIG_REALM) { 1381 1.1 elric ret = 0; 1382 1.1 elric ctx->realm = strdup(realm_params->realm); 1383 1.1 elric if (ctx->realm == NULL) 1384 1.1 elric ret = ENOMEM; 1385 1.1 elric } else 1386 1.1 elric ret = krb5_get_default_realm(ctx->context, &ctx->realm); 1387 1.1 elric if (ret) { 1388 1.1 elric free(ctx); 1389 1.1 elric return ret; 1390 1.1 elric } 1391 1.1 elric 1392 1.1 elric ctx->client_name = strdup(client_name); 1393 1.1 elric 1394 1.1 elric if(password != NULL && *password != '\0') 1395 1.1 elric ret = ad_get_cred(ctx, password); 1396 1.1 elric else 1397 1.1 elric ret = ad_get_cred(ctx, NULL); 1398 1.1 elric if(ret) { 1399 1.1 elric kadm5_ad_destroy(ctx); 1400 1.1 elric return ret; 1401 1.1 elric } 1402 1.1 elric 1403 1.1 elric #ifdef OPENLDAP 1404 1.1 elric ret = _kadm5_ad_connect(ctx); 1405 1.1 elric if (ret) { 1406 1.1 elric kadm5_ad_destroy(ctx); 1407 1.1 elric return ret; 1408 1.1 elric } 1409 1.1 elric #endif 1410 1.1 elric 1411 1.1 elric *server_handle = ctx; 1412 1.1 elric return 0; 1413 1.1 elric } 1414 1.1 elric 1415 1.1 elric kadm5_ret_t 1416 1.1 elric kadm5_ad_init_with_password(const char *client_name, 1417 1.1 elric const char *password, 1418 1.1 elric const char *service_name, 1419 1.1 elric kadm5_config_params *realm_params, 1420 1.1 elric unsigned long struct_version, 1421 1.1 elric unsigned long api_version, 1422 1.1 elric void **server_handle) 1423 1.1 elric { 1424 1.1 elric krb5_context context; 1425 1.1 elric kadm5_ret_t ret; 1426 1.1 elric kadm5_ad_context *ctx; 1427 1.1 elric 1428 1.1 elric ret = krb5_init_context(&context); 1429 1.1 elric if (ret) 1430 1.1 elric return ret; 1431 1.1 elric ret = kadm5_ad_init_with_password_ctx(context, 1432 1.1 elric client_name, 1433 1.1 elric password, 1434 1.1 elric service_name, 1435 1.1 elric realm_params, 1436 1.1 elric struct_version, 1437 1.1 elric api_version, 1438 1.1 elric server_handle); 1439 1.1 elric if(ret) { 1440 1.1 elric krb5_free_context(context); 1441 1.1 elric return ret; 1442 1.1 elric } 1443 1.1 elric ctx = *server_handle; 1444 1.1 elric ctx->my_context = 1; 1445 1.1 elric return 0; 1446 1.1 elric } 1447
Indexes created Sat Feb 28 05:31:39 UTC 2026