1/* 2 * Copyright (c) 2004 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#define HAVE_TSASL 1 35 36#include "kadm5_locl.h" 37#if 1 38#undef OPENLDAP 39#undef HAVE_TSASL 40#endif 41#ifdef OPENLDAP 42#include <ldap.h> 43#ifdef HAVE_TSASL 44#include <tsasl.h> 45#endif 46#include <resolve.h> 47#include <base64.h> 48#endif 49 50RCSID("$Id$"); 51 52#ifdef OPENLDAP 53 54#define CTX2LP(context) ((LDAP *)((context)->ldap_conn)) 55#define CTX2BASE(context) ((context)->base_dn) 56 57/* 58 * userAccountControl 59 */ 60 61#define UF_SCRIPT 0x00000001 62#define UF_ACCOUNTDISABLE 0x00000002 63#define UF_UNUSED_0 0x00000004 64#define UF_HOMEDIR_REQUIRED 0x00000008 65#define UF_LOCKOUT 0x00000010 66#define UF_PASSWD_NOTREQD 0x00000020 67#define UF_PASSWD_CANT_CHANGE 0x00000040 68#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080 69#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100 70#define UF_NORMAL_ACCOUNT 0x00000200 71#define UF_UNUSED_1 0x00000400 72#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800 73#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000 74#define UF_SERVER_TRUST_ACCOUNT 0x00002000 75#define UF_UNUSED_2 0x00004000 76#define UF_UNUSED_3 0x00008000 77#define UF_PASSWD_NOT_EXPIRE 0x00010000 78#define UF_MNS_LOGON_ACCOUNT 0x00020000 79#define UF_SMARTCARD_REQUIRED 0x00040000 80#define UF_TRUSTED_FOR_DELEGATION 0x00080000 81#define UF_NOT_DELEGATED 0x00100000 82#define UF_USE_DES_KEY_ONLY 0x00200000 83#define UF_DONT_REQUIRE_PREAUTH 0x00400000 84#define UF_UNUSED_4 0x00800000 85#define UF_UNUSED_5 0x01000000 86#define UF_UNUSED_6 0x02000000 87#define UF_UNUSED_7 0x04000000 88#define UF_UNUSED_8 0x08000000 89#define UF_UNUSED_9 0x10000000 90#define UF_UNUSED_10 0x20000000 91#define UF_UNUSED_11 0x40000000 92#define UF_UNUSED_12 0x80000000 93 94/* 95 * 96 */ 97 98#ifndef HAVE_TSASL 99static int 100sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *interact) 101{ 102 return LDAP_SUCCESS; 103} 104#endif 105 106#if 0 107static Sockbuf_IO ldap_tsasl_io = { 108 NULL, /* sbi_setup */ 109 NULL, /* sbi_remove */ 110 NULL, /* sbi_ctrl */ 111 NULL, /* sbi_read */ 112 NULL, /* sbi_write */ 113 NULL /* sbi_close */ 114}; 115#endif 116 117#ifdef HAVE_TSASL 118static int 119ldap_tsasl_bind_s(LDAP *ld, 120 LDAP_CONST char *dn, 121 LDAPControl **serverControls, 122 LDAPControl **clientControls, 123 const char *host) 124{ 125 char *attrs[] = { "supportedSASLMechanisms", NULL }; 126 struct tsasl_peer *peer = NULL; 127 struct tsasl_buffer in, out; 128 struct berval ccred, *scred; 129 LDAPMessage *m, *m0; 130 const char *mech; 131 char **vals; 132 int ret, rc; 133 134 ret = tsasl_peer_init(TSASL_FLAGS_INITIATOR | TSASL_FLAGS_CLEAR, 135 "ldap", host, &peer); 136 if (ret != TSASL_DONE) { 137 rc = LDAP_LOCAL_ERROR; 138 goto out; 139 } 140 141 rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE, NULL, attrs, 0, &m0); 142 if (rc != LDAP_SUCCESS) 143 goto out; 144 145 m = ldap_first_entry(ld, m0); 146 if (m == NULL) { 147 ldap_msgfree(m0); 148 goto out; 149 } 150 151 vals = ldap_get_values(ld, m, "supportedSASLMechanisms"); 152 if (vals == NULL) { 153 ldap_msgfree(m0); 154 goto out; 155 } 156 157 ret = tsasl_find_best_mech(peer, vals, &mech); 158 if (ret) { 159 ldap_msgfree(m0); 160 goto out; 161 } 162 163 ldap_msgfree(m0); 164 165 ret = tsasl_select_mech(peer, mech); 166 if (ret != TSASL_DONE) { 167 rc = LDAP_LOCAL_ERROR; 168 goto out; 169 } 170 171 in.tb_data = NULL; 172 in.tb_size = 0; 173 174 do { 175 ret = tsasl_request(peer, &in, &out); 176 if (in.tb_size != 0) { 177 free(in.tb_data); 178 in.tb_data = NULL; 179 in.tb_size = 0; 180 } 181 if (ret != TSASL_DONE && ret != TSASL_CONTINUE) { 182 rc = LDAP_AUTH_UNKNOWN; 183 goto out; 184 } 185 186 ccred.bv_val = out.tb_data; 187 ccred.bv_len = out.tb_size; 188 189 rc = ldap_sasl_bind_s(ld, dn, mech, &ccred, 190 serverControls, clientControls, &scred); 191 tsasl_buffer_free(&out); 192 193 if (rc != LDAP_SUCCESS && rc != LDAP_SASL_BIND_IN_PROGRESS) { 194 if(scred && scred->bv_len) 195 ber_bvfree(scred); 196 goto out; 197 } 198 199 in.tb_data = malloc(scred->bv_len); 200 if (in.tb_data == NULL) { 201 rc = LDAP_LOCAL_ERROR; 202 goto out; 203 } 204 memcpy(in.tb_data, scred->bv_val, scred->bv_len); 205 in.tb_size = scred->bv_len; 206 ber_bvfree(scred); 207 208 } while (rc == LDAP_SASL_BIND_IN_PROGRESS); 209 210 out: 211 if (rc == LDAP_SUCCESS) { 212#if 0 213 ber_sockbuf_add_io(ld->ld_conns->lconn_sb, &ldap_tsasl_io, 214 LBER_SBIOD_LEVEL_APPLICATION, peer); 215 216#endif 217 } else if (peer != NULL) 218 tsasl_peer_free(peer); 219 220 return rc; 221} 222#endif /* HAVE_TSASL */ 223 224 225static int 226check_ldap(kadm5_ad_context *context, int ret) 227{ 228 switch (ret) { 229 case LDAP_SUCCESS: 230 return 0; 231 case LDAP_SERVER_DOWN: { 232 LDAP *lp = CTX2LP(context); 233 ldap_unbind(lp); 234 context->ldap_conn = NULL; 235 free(context->base_dn); 236 context->base_dn = NULL; 237 return 1; 238 } 239 default: 240 return 1; 241 } 242} 243 244/* 245 * 246 */ 247 248static void 249laddattr(char ***al, int *attrlen, char *attr) 250{ 251 char **a; 252 a = realloc(*al, (*attrlen + 2) * sizeof(**al)); 253 if (a == NULL) 254 return; 255 a[*attrlen] = attr; 256 a[*attrlen + 1] = NULL; 257 (*attrlen)++; 258 *al = a; 259} 260 261static kadm5_ret_t 262_kadm5_ad_connect(void *server_handle) 263{ 264 kadm5_ad_context *context = server_handle; 265 struct { 266 char *server; 267 int port; 268 } *s, *servers = NULL; 269 int i, num_servers = 0; 270 271 if (context->ldap_conn) 272 return 0; 273 274 { 275 struct dns_reply *r; 276 struct resource_record *rr; 277 char *domain; 278 279 asprintf(&domain, "_ldap._tcp.%s", context->realm); 280 if (domain == NULL) { 281 krb5_set_error_message(context->context, KADM5_NO_SRV, "malloc"); 282 return KADM5_NO_SRV; 283 } 284 285 r = dns_lookup(domain, "SRV"); 286 free(domain); 287 if (r == NULL) { 288 krb5_set_error_message(context->context, KADM5_NO_SRV, "Didn't find ldap dns"); 289 return KADM5_NO_SRV; 290 } 291 292 for (rr = r->head ; rr != NULL; rr = rr->next) { 293 if (rr->type != rk_ns_t_srv) 294 continue; 295 s = realloc(servers, sizeof(*servers) * (num_servers + 1)); 296 if (s == NULL) { 297 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "malloc"); 298 dns_free_data(r); 299 goto fail; 300 } 301 servers = s; 302 num_servers++; 303 servers[num_servers - 1].port = rr->u.srv->port; 304 servers[num_servers - 1].server = strdup(rr->u.srv->target); 305 } 306 dns_free_data(r); 307 } 308 309 if (num_servers == 0) { 310 krb5_set_error_message(context->context, KADM5_NO_SRV, "No AD server found in DNS"); 311 return KADM5_NO_SRV; 312 } 313 314 for (i = 0; i < num_servers; i++) { 315 int lret, version = LDAP_VERSION3; 316 LDAP *lp; 317 318 lp = ldap_init(servers[i].server, servers[i].port); 319 if (lp == NULL) 320 continue; 321 322 if (ldap_set_option(lp, LDAP_OPT_PROTOCOL_VERSION, &version)) { 323 ldap_unbind(lp); 324 continue; 325 } 326 327 if (ldap_set_option(lp, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) { 328 ldap_unbind(lp); 329 continue; 330 } 331 332#ifdef HAVE_TSASL 333 lret = ldap_tsasl_bind_s(lp, NULL, NULL, NULL, servers[i].server); 334 335#else 336 lret = ldap_sasl_interactive_bind_s(lp, NULL, NULL, NULL, NULL, 337 LDAP_SASL_QUIET, 338 sasl_interact, NULL); 339#endif 340 if (lret != LDAP_SUCCESS) { 341 krb5_set_error_message(context->context, 0, 342 "Couldn't contact any AD servers: %s", 343 ldap_err2string(lret)); 344 ldap_unbind(lp); 345 continue; 346 } 347 348 context->ldap_conn = lp; 349 break; 350 } 351 if (i >= num_servers) { 352 goto fail; 353 } 354 355 { 356 LDAPMessage *m, *m0; 357 char **attr = NULL; 358 int attrlen = 0; 359 char **vals; 360 int ret; 361 362 laddattr(&attr, &attrlen, "defaultNamingContext"); 363 364 ret = ldap_search_s(CTX2LP(context), "", LDAP_SCOPE_BASE, 365 "objectclass=*", attr, 0, &m); 366 free(attr); 367 if (check_ldap(context, ret)) 368 goto fail; 369 370 if (ldap_count_entries(CTX2LP(context), m) > 0) { 371 m0 = ldap_first_entry(CTX2LP(context), m); 372 if (m0 == NULL) { 373 krb5_set_error_message(context->context, KADM5_RPC_ERROR, 374 "Error in AD ldap responce"); 375 ldap_msgfree(m); 376 goto fail; 377 } 378 vals = ldap_get_values(CTX2LP(context), 379 m0, "defaultNamingContext"); 380 if (vals == NULL) { 381 krb5_set_error_message(context->context, KADM5_RPC_ERROR, 382 "No naming context found"); 383 goto fail; 384 } 385 context->base_dn = strdup(vals[0]); 386 } else 387 goto fail; 388 ldap_msgfree(m); 389 } 390 391 for (i = 0; i < num_servers; i++) 392 free(servers[i].server); 393 free(servers); 394 395 return 0; 396 397 fail: 398 for (i = 0; i < num_servers; i++) 399 free(servers[i].server); 400 free(servers); 401 402 if (context->ldap_conn) { 403 ldap_unbind(CTX2LP(context)); 404 context->ldap_conn = NULL; 405 } 406 return KADM5_RPC_ERROR; 407} 408 409#define NTTIME_EPOCH 0x019DB1DED53E8000LL 410 411static time_t 412nt2unixtime(const char *str) 413{ 414 unsigned long long t; 415 t = strtoll(str, NULL, 10); 416 t = ((t - NTTIME_EPOCH) / (long long)10000000); 417 if (t > (((time_t)(~(long long)0)) >> 1)) 418 return 0; 419 return (time_t)t; 420} 421 422static long long 423unix2nttime(time_t unix_time) 424{ 425 long long wt; 426 wt = unix_time * (long long)10000000 + (long long)NTTIME_EPOCH; 427 return wt; 428} 429 430/* XXX create filter in a better way */ 431 432static int 433ad_find_entry(kadm5_ad_context *context, 434 const char *fqdn, 435 const char *pn, 436 char **name) 437{ 438 LDAPMessage *m, *m0; 439 char *attr[] = { "distinguishedName", NULL }; 440 char *filter; 441 int ret; 442 443 if (name) 444 *name = NULL; 445 446 if (fqdn) 447 asprintf(&filter, 448 "(&(objectClass=computer)(|(dNSHostName=%s)(servicePrincipalName=%s)))", 449 fqdn, pn); 450 else if(pn) 451 asprintf(&filter, "(&(objectClass=account)(userPrincipalName=%s))", pn); 452 else 453 return KADM5_RPC_ERROR; 454 455 ret = ldap_search_s(CTX2LP(context), CTX2BASE(context), 456 LDAP_SCOPE_SUBTREE, 457 filter, attr, 0, &m); 458 free(filter); 459 if (check_ldap(context, ret)) 460 return KADM5_RPC_ERROR; 461 462 if (ldap_count_entries(CTX2LP(context), m) > 0) { 463 char **vals; 464 m0 = ldap_first_entry(CTX2LP(context), m); 465 vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName"); 466 if (vals == NULL || vals[0] == NULL) { 467 ldap_msgfree(m); 468 return KADM5_RPC_ERROR; 469 } 470 if (name) 471 *name = strdup(vals[0]); 472 ldap_msgfree(m); 473 } else 474 return KADM5_UNK_PRINC; 475 476 return 0; 477} 478 479#endif /* OPENLDAP */ 480 481static kadm5_ret_t 482ad_get_cred(kadm5_ad_context *context, const char *password) 483{ 484 kadm5_ret_t ret; 485 krb5_ccache cc; 486 char *service; 487 488 if (context->ccache) 489 return 0; 490 491 asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME, 492 context->realm, context->realm); 493 if (service == NULL) 494 return ENOMEM; 495 496 ret = _kadm5_c_get_cred_cache(context->context, 497 context->client_name, 498 service, 499 password, krb5_prompter_posix, 500 NULL, NULL, &cc); 501 free(service); 502 if(ret) 503 return ret; /* XXX */ 504 context->ccache = cc; 505 return 0; 506} 507 508static kadm5_ret_t 509kadm5_ad_chpass_principal(void *server_handle, 510 krb5_principal principal, 511 const char *password) 512{ 513 kadm5_ad_context *context = server_handle; 514 krb5_data result_code_string, result_string; 515 int result_code; 516 kadm5_ret_t ret; 517 518 ret = ad_get_cred(context, NULL); 519 if (ret) 520 return ret; 521 522 krb5_data_zero (&result_code_string); 523 krb5_data_zero (&result_string); 524 525 ret = krb5_set_password_using_ccache (context->context, 526 context->ccache, 527 password, 528 principal, 529 &result_code, 530 &result_code_string, 531 &result_string); 532 533 krb5_data_free (&result_code_string); 534 krb5_data_free (&result_string); 535 536 /* XXX do mapping here on error codes */ 537 538 return ret; 539} 540 541#ifdef OPENLDAP 542static const char * 543get_fqdn(krb5_context context, const krb5_principal p) 544{ 545 const char *s, *hosttypes[] = { "host", "ldap", "gc", "cifs", "dns" }; 546 int i; 547 548 s = krb5_principal_get_comp_string(context, p, 0); 549 if (p == NULL) 550 return NULL; 551 552 for (i = 0; i < sizeof(hosttypes)/sizeof(hosttypes[0]); i++) { 553 if (strcasecmp(s, hosttypes[i]) == 0) 554 return krb5_principal_get_comp_string(context, p, 1); 555 } 556 return 0; 557} 558#endif 559 560 561static kadm5_ret_t 562kadm5_ad_create_principal(void *server_handle, 563 kadm5_principal_ent_t entry, 564 uint32_t mask, 565 const char *password) 566{ 567 kadm5_ad_context *context = server_handle; 568 569 /* 570 * KADM5_PRINC_EXPIRE_TIME 571 * 572 * return 0 || KADM5_DUP; 573 */ 574 575#ifdef OPENLDAP 576 LDAPMod *attrs[8], rattrs[7], *a; 577 char *useraccvals[2] = { NULL, NULL }, 578 *samvals[2], *dnsvals[2], *spnvals[5], *upnvals[2], *tv[2]; 579 char *ocvals_spn[] = { "top", "person", "organizationalPerson", 580 "user", "computer", NULL}; 581 char *p, *realmless_p, *p_msrealm = NULL, *dn = NULL; 582 const char *fqdn; 583 char *s, *samname = NULL, *short_spn = NULL; 584 int ret, i; 585 int32_t uf_flags = 0; 586 587 if ((mask & KADM5_PRINCIPAL) == 0) 588 return KADM5_BAD_MASK; 589 590 for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++) 591 attrs[i] = &rattrs[i]; 592 attrs[i] = NULL; 593 594 ret = ad_get_cred(context, NULL); 595 if (ret) 596 return ret; 597 598 ret = _kadm5_ad_connect(server_handle); 599 if (ret) 600 return ret; 601 602 fqdn = get_fqdn(context->context, entry->principal); 603 604 ret = krb5_unparse_name(context->context, entry->principal, &p); 605 if (ret) 606 return ret; 607 608 if (ad_find_entry(context, fqdn, p, NULL) == 0) { 609 free(p); 610 return KADM5_DUP; 611 } 612 613 if (mask & KADM5_ATTRIBUTES) { 614 if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) 615 uf_flags |= UF_ACCOUNTDISABLE|UF_LOCKOUT; 616 if ((entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) == 0) 617 uf_flags |= UF_DONT_REQUIRE_PREAUTH; 618 if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH) 619 uf_flags |= UF_SMARTCARD_REQUIRED; 620 } 621 622 realmless_p = strdup(p); 623 if (realmless_p == NULL) { 624 ret = ENOMEM; 625 goto out; 626 } 627 s = strrchr(realmless_p, '@'); 628 if (s) 629 *s = '\0'; 630 631 if (fqdn) { 632 /* create computer account */ 633 asprintf(&samname, "%s$", fqdn); 634 if (samname == NULL) { 635 ret = ENOMEM; 636 goto out; 637 } 638 s = strchr(samname, '.'); 639 if (s) { 640 s[0] = '$'; 641 s[1] = '\0'; 642 } 643 644 short_spn = strdup(p); 645 if (short_spn == NULL) { 646 errno = ENOMEM; 647 goto out; 648 } 649 s = strchr(short_spn, '.'); 650 if (s) { 651 *s = '\0'; 652 } else { 653 free(short_spn); 654 short_spn = NULL; 655 } 656 657 p_msrealm = strdup(p); 658 if (p_msrealm == NULL) { 659 errno = ENOMEM; 660 goto out; 661 } 662 s = strrchr(p_msrealm, '@'); 663 if (s) { 664 *s = '/'; 665 } else { 666 free(p_msrealm); 667 p_msrealm = NULL; 668 } 669 670 asprintf(&dn, "cn=%s, cn=Computers, %s", fqdn, CTX2BASE(context)); 671 if (dn == NULL) { 672 ret = ENOMEM; 673 goto out; 674 } 675 676 a = &rattrs[0]; 677 a->mod_op = LDAP_MOD_ADD; 678 a->mod_type = "objectClass"; 679 a->mod_values = ocvals_spn; 680 a++; 681 682 a->mod_op = LDAP_MOD_ADD; 683 a->mod_type = "userAccountControl"; 684 a->mod_values = useraccvals; 685 asprintf(&useraccvals[0], "%d", 686 uf_flags | 687 UF_PASSWD_NOT_EXPIRE | 688 UF_WORKSTATION_TRUST_ACCOUNT); 689 useraccvals[1] = NULL; 690 a++; 691 692 a->mod_op = LDAP_MOD_ADD; 693 a->mod_type = "sAMAccountName"; 694 a->mod_values = samvals; 695 samvals[0] = samname; 696 samvals[1] = NULL; 697 a++; 698 699 a->mod_op = LDAP_MOD_ADD; 700 a->mod_type = "dNSHostName"; 701 a->mod_values = dnsvals; 702 dnsvals[0] = (char *)fqdn; 703 dnsvals[1] = NULL; 704 a++; 705 706 /* XXX add even more spn's */ 707 a->mod_op = LDAP_MOD_ADD; 708 a->mod_type = "servicePrincipalName"; 709 a->mod_values = spnvals; 710 i = 0; 711 spnvals[i++] = p; 712 spnvals[i++] = realmless_p; 713 if (short_spn) 714 spnvals[i++] = short_spn; 715 if (p_msrealm) 716 spnvals[i++] = p_msrealm; 717 spnvals[i++] = NULL; 718 a++; 719 720 a->mod_op = LDAP_MOD_ADD; 721 a->mod_type = "userPrincipalName"; 722 a->mod_values = upnvals; 723 upnvals[0] = p; 724 upnvals[1] = NULL; 725 a++; 726 727 a->mod_op = LDAP_MOD_ADD; 728 a->mod_type = "accountExpires"; 729 a->mod_values = tv; 730 tv[0] = "9223372036854775807"; /* "never" */ 731 tv[1] = NULL; 732 a++; 733 734 } else { 735 /* create user account */ 736 737 a = &rattrs[0]; 738 a->mod_op = LDAP_MOD_ADD; 739 a->mod_type = "userAccountControl"; 740 a->mod_values = useraccvals; 741 asprintf(&useraccvals[0], "%d", 742 uf_flags | 743 UF_PASSWD_NOT_EXPIRE); 744 useraccvals[1] = NULL; 745 a++; 746 747 a->mod_op = LDAP_MOD_ADD; 748 a->mod_type = "sAMAccountName"; 749 a->mod_values = samvals; 750 samvals[0] = realmless_p; 751 samvals[1] = NULL; 752 a++; 753 754 a->mod_op = LDAP_MOD_ADD; 755 a->mod_type = "userPrincipalName"; 756 a->mod_values = upnvals; 757 upnvals[0] = p; 758 upnvals[1] = NULL; 759 a++; 760 761 a->mod_op = LDAP_MOD_ADD; 762 a->mod_type = "accountExpires"; 763 a->mod_values = tv; 764 tv[0] = "9223372036854775807"; /* "never" */ 765 tv[1] = NULL; 766 a++; 767 } 768 769 attrs[a - &rattrs[0]] = NULL; 770 771 ret = ldap_add_s(CTX2LP(context), dn, attrs); 772 773 out: 774 if (useraccvals[0]) 775 free(useraccvals[0]); 776 if (realmless_p) 777 free(realmless_p); 778 if (samname) 779 free(samname); 780 if (short_spn) 781 free(short_spn); 782 if (p_msrealm) 783 free(p_msrealm); 784 free(p); 785 786 if (check_ldap(context, ret)) 787 return KADM5_RPC_ERROR; 788 789 return 0; 790#else 791 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 792 return KADM5_RPC_ERROR; 793#endif 794} 795 796static kadm5_ret_t 797kadm5_ad_delete_principal(void *server_handle, krb5_principal principal) 798{ 799 kadm5_ad_context *context = server_handle; 800#ifdef OPENLDAP 801 char *p, *dn = NULL; 802 const char *fqdn; 803 int ret; 804 805 ret = ad_get_cred(context, NULL); 806 if (ret) 807 return ret; 808 809 ret = _kadm5_ad_connect(server_handle); 810 if (ret) 811 return ret; 812 813 fqdn = get_fqdn(context->context, principal); 814 815 ret = krb5_unparse_name(context->context, principal, &p); 816 if (ret) 817 return ret; 818 819 if (ad_find_entry(context, fqdn, p, &dn) != 0) { 820 free(p); 821 return KADM5_UNK_PRINC; 822 } 823 824 ret = ldap_delete_s(CTX2LP(context), dn); 825 826 free(dn); 827 free(p); 828 829 if (check_ldap(context, ret)) 830 return KADM5_RPC_ERROR; 831 return 0; 832#else 833 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 834 return KADM5_RPC_ERROR; 835#endif 836} 837 838static kadm5_ret_t 839kadm5_ad_destroy(void *server_handle) 840{ 841 kadm5_ad_context *context = server_handle; 842 843 if (context->ccache) 844 krb5_cc_destroy(context->context, context->ccache); 845 846#ifdef OPENLDAP 847 { 848 LDAP *lp = CTX2LP(context); 849 if (lp) 850 ldap_unbind(lp); 851 if (context->base_dn) 852 free(context->base_dn); 853 } 854#endif 855 free(context->realm); 856 free(context->client_name); 857 krb5_free_principal(context->context, context->caller); 858 if(context->my_context) 859 krb5_free_context(context->context); 860 return 0; 861} 862 863static kadm5_ret_t 864kadm5_ad_flush(void *server_handle) 865{ 866 kadm5_ad_context *context = server_handle; 867 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 868 return KADM5_RPC_ERROR; 869} 870 871static kadm5_ret_t 872kadm5_ad_get_principal(void *server_handle, 873 krb5_principal principal, 874 kadm5_principal_ent_t entry, 875 uint32_t mask) 876{ 877 kadm5_ad_context *context = server_handle; 878#ifdef OPENLDAP 879 LDAPMessage *m, *m0; 880 char **attr = NULL; 881 int attrlen = 0; 882 char *filter, *p, *q, *u; 883 int ret; 884 885 /* 886 * principal 887 * KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES 888 */ 889 890 /* 891 * return 0 || KADM5_DUP; 892 */ 893 894 memset(entry, 0, sizeof(*entry)); 895 896 if (mask & KADM5_KVNO) 897 laddattr(&attr, &attrlen, "msDS-KeyVersionNumber"); 898 899 if (mask & KADM5_PRINCIPAL) { 900 laddattr(&attr, &attrlen, "userPrincipalName"); 901 laddattr(&attr, &attrlen, "servicePrincipalName"); 902 } 903 laddattr(&attr, &attrlen, "objectClass"); 904 laddattr(&attr, &attrlen, "lastLogon"); 905 laddattr(&attr, &attrlen, "badPwdCount"); 906 laddattr(&attr, &attrlen, "badPasswordTime"); 907 laddattr(&attr, &attrlen, "pwdLastSet"); 908 laddattr(&attr, &attrlen, "accountExpires"); 909 laddattr(&attr, &attrlen, "userAccountControl"); 910 911 krb5_unparse_name_short(context->context, principal, &p); 912 krb5_unparse_name(context->context, principal, &u); 913 914 /* replace @ in domain part with a / */ 915 q = strrchr(p, '@'); 916 if (q && (p != q && *(q - 1) != '\\')) 917 *q = '/'; 918 919 asprintf(&filter, 920 "(|(userPrincipalName=%s)(servicePrincipalName=%s)(servicePrincipalName=%s))", 921 u, p, u); 922 free(p); 923 free(u); 924 925 ret = ldap_search_s(CTX2LP(context), CTX2BASE(context), 926 LDAP_SCOPE_SUBTREE, 927 filter, attr, 0, &m); 928 free(attr); 929 if (check_ldap(context, ret)) 930 return KADM5_RPC_ERROR; 931 932 if (ldap_count_entries(CTX2LP(context), m) > 0) { 933 char **vals; 934 m0 = ldap_first_entry(CTX2LP(context), m); 935 if (m0 == NULL) { 936 ldap_msgfree(m); 937 goto fail; 938 } 939#if 0 940 vals = ldap_get_values(CTX2LP(context), m0, "servicePrincipalName"); 941 if (vals) 942 printf("servicePrincipalName %s\n", vals[0]); 943 vals = ldap_get_values(CTX2LP(context), m0, "userPrincipalName"); 944 if (vals) 945 printf("userPrincipalName %s\n", vals[0]); 946 vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl"); 947 if (vals) 948 printf("userAccountControl %s\n", vals[0]); 949#endif 950 entry->princ_expire_time = 0; 951 if (mask & KADM5_PRINC_EXPIRE_TIME) { 952 vals = ldap_get_values(CTX2LP(context), m0, "accountExpires"); 953 if (vals) 954 entry->princ_expire_time = nt2unixtime(vals[0]); 955 } 956 entry->last_success = 0; 957 if (mask & KADM5_LAST_SUCCESS) { 958 vals = ldap_get_values(CTX2LP(context), m0, "lastLogon"); 959 if (vals) 960 entry->last_success = nt2unixtime(vals[0]); 961 } 962 if (mask & KADM5_LAST_FAILED) { 963 vals = ldap_get_values(CTX2LP(context), m0, "badPasswordTime"); 964 if (vals) 965 entry->last_failed = nt2unixtime(vals[0]); 966 } 967 if (mask & KADM5_LAST_PWD_CHANGE) { 968 vals = ldap_get_values(CTX2LP(context), m0, "pwdLastSet"); 969 if (vals) 970 entry->last_pwd_change = nt2unixtime(vals[0]); 971 } 972 if (mask & KADM5_FAIL_AUTH_COUNT) { 973 vals = ldap_get_values(CTX2LP(context), m0, "badPwdCount"); 974 if (vals) 975 entry->fail_auth_count = atoi(vals[0]); 976 } 977 if (mask & KADM5_ATTRIBUTES) { 978 vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl"); 979 if (vals) { 980 uint32_t i; 981 i = atoi(vals[0]); 982 if (i & (UF_ACCOUNTDISABLE|UF_LOCKOUT)) 983 entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; 984 if ((i & UF_DONT_REQUIRE_PREAUTH) == 0) 985 entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH; 986 if (i & UF_SMARTCARD_REQUIRED) 987 entry->attributes |= KRB5_KDB_REQUIRES_HW_AUTH; 988 if ((i & UF_WORKSTATION_TRUST_ACCOUNT) == 0) 989 entry->attributes |= KRB5_KDB_DISALLOW_SVR; 990 } 991 } 992 if (mask & KADM5_KVNO) { 993 vals = ldap_get_values(CTX2LP(context), m0, 994 "msDS-KeyVersionNumber"); 995 if (vals) 996 entry->kvno = atoi(vals[0]); 997 else 998 entry->kvno = 0; 999 } 1000 ldap_msgfree(m); 1001 } else { 1002 return KADM5_UNK_PRINC; 1003 } 1004 1005 if (mask & KADM5_PRINCIPAL) 1006 krb5_copy_principal(context->context, principal, &entry->principal); 1007 1008 return 0; 1009 fail: 1010 return KADM5_RPC_ERROR; 1011#else 1012 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1013 return KADM5_RPC_ERROR; 1014#endif 1015} 1016 1017static kadm5_ret_t 1018kadm5_ad_get_principals(void *server_handle, 1019 const char *expression, 1020 char ***principals, 1021 int *count) 1022{ 1023 kadm5_ad_context *context = server_handle; 1024 1025 /* 1026 * KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES 1027 */ 1028 1029#ifdef OPENLDAP 1030 kadm5_ret_t ret; 1031 1032 ret = ad_get_cred(context, NULL); 1033 if (ret) 1034 return ret; 1035 1036 ret = _kadm5_ad_connect(server_handle); 1037 if (ret) 1038 return ret; 1039 1040 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1041 return KADM5_RPC_ERROR; 1042#else 1043 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1044 return KADM5_RPC_ERROR; 1045#endif 1046} 1047 1048static kadm5_ret_t 1049kadm5_ad_get_privs(void *server_handle, uint32_t*privs) 1050{ 1051 kadm5_ad_context *context = server_handle; 1052 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1053 return KADM5_RPC_ERROR; 1054} 1055 1056static kadm5_ret_t 1057kadm5_ad_modify_principal(void *server_handle, 1058 kadm5_principal_ent_t entry, 1059 uint32_t mask) 1060{ 1061 kadm5_ad_context *context = server_handle; 1062 1063 /* 1064 * KADM5_ATTRIBUTES 1065 * KRB5_KDB_DISALLOW_ALL_TIX (| KADM5_KVNO) 1066 */ 1067 1068#ifdef OPENLDAP 1069 LDAPMessage *m = NULL, *m0; 1070 kadm5_ret_t ret; 1071 char **attr = NULL; 1072 int attrlen = 0; 1073 char *p = NULL, *s = NULL, *q; 1074 char **vals; 1075 LDAPMod *attrs[4], rattrs[3], *a; 1076 char *uaf[2] = { NULL, NULL }; 1077 char *kvno[2] = { NULL, NULL }; 1078 char *tv[2] = { NULL, NULL }; 1079 char *filter, *dn; 1080 int i; 1081 1082 for (i = 0; i < sizeof(rattrs)/sizeof(rattrs[0]); i++) 1083 attrs[i] = &rattrs[i]; 1084 attrs[i] = NULL; 1085 a = &rattrs[0]; 1086 1087 ret = _kadm5_ad_connect(server_handle); 1088 if (ret) 1089 return ret; 1090 1091 if (mask & KADM5_KVNO) 1092 laddattr(&attr, &attrlen, "msDS-KeyVersionNumber"); 1093 if (mask & KADM5_PRINC_EXPIRE_TIME) 1094 laddattr(&attr, &attrlen, "accountExpires"); 1095 if (mask & KADM5_ATTRIBUTES) 1096 laddattr(&attr, &attrlen, "userAccountControl"); 1097 laddattr(&attr, &attrlen, "distinguishedName"); 1098 1099 krb5_unparse_name(context->context, entry->principal, &p); 1100 1101 s = strdup(p); 1102 1103 q = strrchr(s, '@'); 1104 if (q && (p != q && *(q - 1) != '\\')) 1105 *q = '\0'; 1106 1107 asprintf(&filter, 1108 "(|(userPrincipalName=%s)(servicePrincipalName=%s))", 1109 s, s); 1110 free(p); 1111 free(s); 1112 1113 ret = ldap_search_s(CTX2LP(context), CTX2BASE(context), 1114 LDAP_SCOPE_SUBTREE, 1115 filter, attr, 0, &m); 1116 free(attr); 1117 free(filter); 1118 if (check_ldap(context, ret)) 1119 return KADM5_RPC_ERROR; 1120 1121 if (ldap_count_entries(CTX2LP(context), m) <= 0) { 1122 ret = KADM5_RPC_ERROR; 1123 goto out; 1124 } 1125 1126 m0 = ldap_first_entry(CTX2LP(context), m); 1127 1128 if (mask & KADM5_ATTRIBUTES) { 1129 int32_t i; 1130 1131 vals = ldap_get_values(CTX2LP(context), m0, "userAccountControl"); 1132 if (vals == NULL) { 1133 ret = KADM5_RPC_ERROR; 1134 goto out; 1135 } 1136 1137 i = atoi(vals[0]); 1138 if (i == 0) 1139 return KADM5_RPC_ERROR; 1140 1141 if (entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX) 1142 i |= (UF_ACCOUNTDISABLE|UF_LOCKOUT); 1143 else 1144 i &= ~(UF_ACCOUNTDISABLE|UF_LOCKOUT); 1145 if (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH) 1146 i &= ~UF_DONT_REQUIRE_PREAUTH; 1147 else 1148 i |= UF_DONT_REQUIRE_PREAUTH; 1149 if (entry->attributes & KRB5_KDB_REQUIRES_HW_AUTH) 1150 i |= UF_SMARTCARD_REQUIRED; 1151 else 1152 i &= UF_SMARTCARD_REQUIRED; 1153 if (entry->attributes & KRB5_KDB_DISALLOW_SVR) 1154 i &= ~UF_WORKSTATION_TRUST_ACCOUNT; 1155 else 1156 i |= UF_WORKSTATION_TRUST_ACCOUNT; 1157 1158 asprintf(&uaf[0], "%d", i); 1159 1160 a->mod_op = LDAP_MOD_REPLACE; 1161 a->mod_type = "userAccountControl"; 1162 a->mod_values = uaf; 1163 a++; 1164 } 1165 1166 if (mask & KADM5_KVNO) { 1167 vals = ldap_get_values(CTX2LP(context), m0, "msDS-KeyVersionNumber"); 1168 if (vals == NULL) { 1169 entry->kvno = 0; 1170 } else { 1171 asprintf(&kvno[0], "%d", entry->kvno); 1172 1173 a->mod_op = LDAP_MOD_REPLACE; 1174 a->mod_type = "msDS-KeyVersionNumber"; 1175 a->mod_values = kvno; 1176 a++; 1177 } 1178 } 1179 1180 if (mask & KADM5_PRINC_EXPIRE_TIME) { 1181 long long wt; 1182 vals = ldap_get_values(CTX2LP(context), m0, "accountExpires"); 1183 if (vals == NULL) { 1184 ret = KADM5_RPC_ERROR; 1185 goto out; 1186 } 1187 1188 wt = unix2nttime(entry->princ_expire_time); 1189 1190 asprintf(&tv[0], "%llu", wt); 1191 1192 a->mod_op = LDAP_MOD_REPLACE; 1193 a->mod_type = "accountExpires"; 1194 a->mod_values = tv; 1195 a++; 1196 } 1197 1198 vals = ldap_get_values(CTX2LP(context), m0, "distinguishedName"); 1199 if (vals == NULL) { 1200 ret = KADM5_RPC_ERROR; 1201 goto out; 1202 } 1203 dn = vals[0]; 1204 1205 attrs[a - &rattrs[0]] = NULL; 1206 1207 ret = ldap_modify_s(CTX2LP(context), dn, attrs); 1208 if (check_ldap(context, ret)) 1209 return KADM5_RPC_ERROR; 1210 1211 out: 1212 if (m) 1213 ldap_msgfree(m); 1214 if (uaf[0]) 1215 free(uaf[0]); 1216 if (kvno[0]) 1217 free(kvno[0]); 1218 if (tv[0]) 1219 free(tv[0]); 1220 return ret; 1221#else 1222 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1223 return KADM5_RPC_ERROR; 1224#endif 1225} 1226 1227static kadm5_ret_t 1228kadm5_ad_randkey_principal(void *server_handle, 1229 krb5_principal principal, 1230 krb5_keyblock **keys, 1231 int *n_keys) 1232{ 1233 kadm5_ad_context *context = server_handle; 1234 1235 /* 1236 * random key 1237 */ 1238 1239#ifdef OPENLDAP 1240 krb5_data result_code_string, result_string; 1241 int result_code, plen; 1242 kadm5_ret_t ret; 1243 char *password; 1244 1245 *keys = NULL; 1246 *n_keys = 0; 1247 1248 { 1249 char p[64]; 1250 krb5_generate_random_block(p, sizeof(p)); 1251 plen = base64_encode(p, sizeof(p), &password); 1252 if (plen < 0) 1253 return ENOMEM; 1254 } 1255 1256 ret = ad_get_cred(context, NULL); 1257 if (ret) { 1258 free(password); 1259 return ret; 1260 } 1261 1262 krb5_data_zero (&result_code_string); 1263 krb5_data_zero (&result_string); 1264 1265 ret = krb5_set_password_using_ccache (context->context, 1266 context->ccache, 1267 password, 1268 principal, 1269 &result_code, 1270 &result_code_string, 1271 &result_string); 1272 1273 krb5_data_free (&result_code_string); 1274 krb5_data_free (&result_string); 1275 1276 if (ret == 0) { 1277 1278 *keys = malloc(sizeof(**keys) * 1); 1279 if (*keys == NULL) { 1280 ret = ENOMEM; 1281 goto out; 1282 } 1283 *n_keys = 1; 1284 1285 ret = krb5_string_to_key(context->context, 1286 ENCTYPE_ARCFOUR_HMAC_MD5, 1287 password, 1288 principal, 1289 &(*keys)[0]); 1290 memset(password, 0, sizeof(password)); 1291 if (ret) { 1292 free(*keys); 1293 *keys = NULL; 1294 *n_keys = 0; 1295 goto out; 1296 } 1297 } 1298 memset(password, 0, plen); 1299 free(password); 1300 out: 1301 return ret; 1302#else 1303 *keys = NULL; 1304 *n_keys = 0; 1305 1306 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1307 return KADM5_RPC_ERROR; 1308#endif 1309} 1310 1311static kadm5_ret_t 1312kadm5_ad_rename_principal(void *server_handle, 1313 krb5_principal from, 1314 krb5_principal to) 1315{ 1316 kadm5_ad_context *context = server_handle; 1317 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1318 return KADM5_RPC_ERROR; 1319} 1320 1321static kadm5_ret_t 1322kadm5_ad_chpass_principal_with_key(void *server_handle, 1323 krb5_principal princ, 1324 int n_key_data, 1325 krb5_key_data *key_data) 1326{ 1327 kadm5_ad_context *context = server_handle; 1328 krb5_set_error_message(context->context, KADM5_RPC_ERROR, "Function not implemented"); 1329 return KADM5_RPC_ERROR; 1330} 1331 1332static void 1333set_funcs(kadm5_ad_context *c) 1334{ 1335#define SET(C, F) (C)->funcs.F = kadm5_ad_ ## F 1336 SET(c, chpass_principal); 1337 SET(c, chpass_principal_with_key); 1338 SET(c, create_principal); 1339 SET(c, delete_principal); 1340 SET(c, destroy); 1341 SET(c, flush); 1342 SET(c, get_principal); 1343 SET(c, get_principals); 1344 SET(c, get_privs); 1345 SET(c, modify_principal); 1346 SET(c, randkey_principal); 1347 SET(c, rename_principal); 1348} 1349 1350kadm5_ret_t 1351kadm5_ad_init_with_password_ctx(krb5_context context, 1352 const char *client_name, 1353 const char *password, 1354 const char *service_name, 1355 kadm5_config_params *realm_params, 1356 unsigned long struct_version, 1357 unsigned long api_version, 1358 void **server_handle) 1359{ 1360 kadm5_ret_t ret; 1361 kadm5_ad_context *ctx; 1362 1363 ctx = malloc(sizeof(*ctx)); 1364 if(ctx == NULL) 1365 return ENOMEM; 1366 memset(ctx, 0, sizeof(*ctx)); 1367 set_funcs(ctx); 1368 1369 ctx->context = context; 1370 krb5_add_et_list (context, initialize_kadm5_error_table_r); 1371 1372 ret = krb5_parse_name(ctx->context, client_name, &ctx->caller); 1373 if(ret) { 1374 free(ctx); 1375 return ret; 1376 } 1377 1378 if(realm_params->mask & KADM5_CONFIG_REALM) { 1379 ret = 0; 1380 ctx->realm = strdup(realm_params->realm); 1381 if (ctx->realm == NULL) 1382 ret = ENOMEM; 1383 } else 1384 ret = krb5_get_default_realm(ctx->context, &ctx->realm); 1385 if (ret) { 1386 free(ctx); 1387 return ret; 1388 } 1389 1390 ctx->client_name = strdup(client_name); 1391 1392 if(password != NULL && *password != '\0') 1393 ret = ad_get_cred(ctx, password); 1394 else 1395 ret = ad_get_cred(ctx, NULL); 1396 if(ret) { 1397 kadm5_ad_destroy(ctx); 1398 return ret; 1399 } 1400 1401#ifdef OPENLDAP 1402 ret = _kadm5_ad_connect(ctx); 1403 if (ret) { 1404 kadm5_ad_destroy(ctx); 1405 return ret; 1406 } 1407#endif 1408 1409 *server_handle = ctx; 1410 return 0; 1411} 1412 1413kadm5_ret_t 1414kadm5_ad_init_with_password(const char *client_name, 1415 const char *password, 1416 const char *service_name, 1417 kadm5_config_params *realm_params, 1418 unsigned long struct_version, 1419 unsigned long api_version, 1420 void **server_handle) 1421{ 1422 krb5_context context; 1423 kadm5_ret_t ret; 1424 kadm5_ad_context *ctx; 1425 1426 ret = krb5_init_context(&context); 1427 if (ret) 1428 return ret; 1429 ret = kadm5_ad_init_with_password_ctx(context, 1430 client_name, 1431 password, 1432 service_name, 1433 realm_params, 1434 struct_version, 1435 api_version, 1436 server_handle); 1437 if(ret) { 1438 krb5_free_context(context); 1439 return ret; 1440 } 1441 ctx = *server_handle; 1442 ctx->my_context = 1; 1443 return 0; 1444} 1445