326
329
ret = krb5_pac_verify(context, pac, tkt->authtime,
327
330
client_principal,
331
krbtgt_check_key, NULL);
330
333
krb5_pac_free(context, pac);
334
337
ret = _kdc_pac_verify(context, client_principal,
335
client, server, &pac);
338
client, server, krbtgt, &pac, &signed_pac);
337
340
krb5_pac_free(context, pac);
342
ret = _krb5_pac_sign(context, pac, tkt->authtime,
344
server_key, krbtgt_key, rspac);
345
* Only re-sign PAC if we could verify it with the PAC
346
* function. The no-verify case happens when we get in
347
* a PAC from cross realm from a Windows domain and
348
* that there is no PAC verification function.
352
ret = _krb5_pac_sign(context, pac, tkt->authtime,
354
server_key, krbtgt_sign_key, rspac);
346
356
krb5_pac_free(context, pac);
1109
1168
ap_req.ticket.sname,
1110
1169
ap_req.ticket.realm);
1112
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
1171
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
1173
if(ret == HDB_ERR_NOT_FOUND_HERE) {
1175
ret = krb5_unparse_name(context, princ, &p);
1177
p = "<unparse_name failed>";
1178
krb5_free_principal(context, princ);
1179
kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
1182
ret = HDB_ERR_NOT_FOUND_HERE;
1185
const char *msg = krb5_get_error_message(context, ret);
1116
1187
ret = krb5_unparse_name(context, princ, &p);
1118
1189
p = "<unparse_name failed>";
1119
1190
krb5_free_principal(context, princ);
1120
1191
kdc_log(context, config, 0,
1121
"Ticket-granting ticket not found in database: %s: %s",
1122
p, krb5_get_err_text(context, ret));
1192
"Ticket-granting ticket not found in database: %s", msg);
1193
krb5_free_error_message(context, msg);
1125
1196
ret = KRB5KRB_AP_ERR_NOT_US;
1291
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1294
ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1296
const char *msg = krb5_get_error_message(context, ret);
1297
krb5_auth_con_free(context, ac);
1298
kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
1299
krb5_free_error_message(context, msg);
1303
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1306
ret = krb5_auth_con_getkey(context, ac, &subkey);
1308
const char *msg = krb5_get_error_message(context, ret);
1309
krb5_auth_con_free(context, ac);
1310
kdc_log(context, config, 0, "Failed to get session key: %s", msg);
1311
krb5_free_error_message(context, msg);
1316
krb5_auth_con_free(context, ac);
1317
kdc_log(context, config, 0,
1318
"Failed to get key for enc-authorization-data");
1319
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1219
1325
if (b->enc_authorization_data) {
1220
unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
1221
krb5_keyblock *subkey;
1224
ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
1226
krb5_auth_con_free(context, ac);
1227
kdc_log(context, config, 0, "Failed to get remote subkey: %s",
1228
krb5_get_err_text(context, ret));
1232
usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
1233
ret = krb5_auth_con_getkey(context, ac, &subkey);
1235
krb5_auth_con_free(context, ac);
1236
kdc_log(context, config, 0, "Failed to get session key: %s",
1237
krb5_get_err_text(context, ret));
1242
krb5_auth_con_free(context, ac);
1243
kdc_log(context, config, 0,
1244
"Failed to get key for enc-authorization-data");
1245
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
1248
1328
ret = krb5_crypto_init(context, subkey, 0, &crypto);
1249
krb5_free_keyblock(context, subkey);
1330
const char *msg = krb5_get_error_message(context, ret);
1251
1331
krb5_auth_con_free(context, ac);
1252
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
1253
krb5_get_err_text(context, ret));
1332
kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
1333
krb5_free_error_message(context, msg);
1256
1336
ret = krb5_decrypt_EncryptedData (context,
1541
1630
krb5_free_host_realm(context, realms);
1632
msg = krb5_get_error_message(context, ret);
1543
1633
kdc_log(context, config, 0,
1544
"Server not found in database: %s: %s", spn,
1545
krb5_get_err_text(context, ret));
1634
"Server not found in database: %s: %s", spn, msg);
1635
krb5_free_error_message(context, msg);
1546
1636
if (ret == HDB_ERR_NOENTRY)
1547
1637
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
1551
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
1552
&clientdb, &client);
1554
const char *krbtgt_realm;
1557
* If the client belongs to the same realm as our krbtgt, it
1558
* should exist in the local database.
1563
krb5_principal_get_comp_string(context,
1564
krbtgt->entry.principal, 1);
1566
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1567
if (ret == HDB_ERR_NOENTRY)
1568
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1569
kdc_log(context, config, 1, "Client no longer in database: %s",
1574
kdc_log(context, config, 1, "Client not found in database: %s: %s",
1575
cpn, krb5_get_err_text(context, ret));
1579
1642
* Select enctype, return key and kvno.
1625
if (strcmp(krb5_principal_get_realm(context, sp),
1626
krb5_principal_get_comp_string(context,
1627
krbtgt->entry.principal,
1690
* Validate authoriation data
1693
ret = hdb_enctype2key(context, &krbtgt->entry,
1694
krbtgt_etype, &tkey_check);
1696
kdc_log(context, config, 0,
1697
"Failed to find key for krbtgt PAC check");
1701
/* Now refetch the primary krbtgt, and get the current kvno (the
1702
* sign check may have been on an old kvno, and the server may
1703
* have been an incoming trust) */
1704
ret = krb5_make_principal(context, &krbtgt_principal,
1705
krb5_principal_get_comp_string(context,
1706
krbtgt->entry.principal,
1709
krb5_principal_get_comp_string(context,
1710
krbtgt->entry.principal,
1713
kdc_log(context, config, 0,
1714
"Failed to generate krbtgt principal");
1718
ret = _kdc_db_fetch(context, config, krbtgt_principal, HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);
1719
krb5_free_principal(context, krbtgt_principal);
1721
krb5_error_code ret2;
1723
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1724
ret2 = krb5_unparse_name(context, krbtgt->entry.principal, &tpn2);
1725
kdc_log(context, config, 0,
1726
"Request with wrong krbtgt: %s, %s not found in our database",
1727
(ret == 0) ? tpn : "<unknown>", (ret2 == 0) ? tpn2 : "<unknown>");
1732
ret = KRB5KRB_AP_ERR_NOT_US;
1736
/* The first realm is the realm of the service, the second is
1737
* krbtgt/<this>/@REALM component of the krbtgt DN the request was
1738
* encrypted to. The redirection via the krbtgt_out entry allows
1739
* the DB to possibly correct the case of the realm (Samba4 does
1740
* this) before the strcmp() */
1741
if (strcmp(krb5_principal_get_realm(context, server->entry.principal),
1742
krb5_principal_get_realm(context, krbtgt_out->entry.principal)) != 0) {
1630
ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
1744
ret = krb5_unparse_name(context, krbtgt_out->entry.principal, &tpn);
1631
1745
kdc_log(context, config, 0,
1632
1746
"Request with wrong krbtgt: %s",
1633
1747
(ret == 0) ? tpn : "<unknown>");
1636
1750
ret = KRB5KRB_AP_ERR_NOT_US;
1641
* Validate authoriation data
1644
ret = hdb_enctype2key(context, &krbtgt->entry,
1645
krbtgt_etype, &tkey);
1753
ret = hdb_enctype2key(context, &krbtgt_out->entry,
1754
krbtgt_etype, &tkey_sign);
1647
1756
kdc_log(context, config, 0,
1648
"Failed to find key for krbtgt PAC check");
1757
"Failed to find key for krbtgt PAC signature");
1761
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
1762
NULL, &clientdb, &client);
1763
if(ret == HDB_ERR_NOT_FOUND_HERE) {
1764
/* This is OK, we are just trying to find out if they have
1765
* been disabled or deleted in the meantime, missing secrets
1768
const char *krbtgt_realm, *msg;
1771
* If the client belongs to the same realm as our krbtgt, it
1772
* should exist in the local database.
1776
krbtgt_realm = krb5_principal_get_realm(context, krbtgt_out->entry.principal);
1778
if(strcmp(krb5_principal_get_realm(context, cp), krbtgt_realm) == 0) {
1779
if (ret == HDB_ERR_NOENTRY)
1780
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1781
kdc_log(context, config, 1, "Client no longer in database: %s",
1786
msg = krb5_get_error_message(context, ret);
1787
kdc_log(context, config, 1, "Client not found in database: %s", msg);
1788
krb5_free_error_message(context, msg);
1652
1791
ret = check_PAC(context, config, cp,
1653
client, server, ekey, &tkey->key,
1792
client, server, krbtgt, ekey, &tkey_check->key, &tkey_sign->key,
1654
1793
tgt, &rspac, &signedpath);
1795
const char *msg = krb5_get_error_message(context, ret);
1656
1796
kdc_log(context, config, 0,
1657
1797
"Verify PAC failed for %s (%s) from %s with %s",
1658
spn, cpn, from, krb5_get_err_text(context, ret));
1798
spn, cpn, from, msg);
1799
krb5_free_error_message(context, msg);
1889
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
1892
krb5_data_free(&rspac);
1893
ret = _kdc_db_fetch(context, config, client_principal, HDB_F_GET_CLIENT | HDB_F_CANON,
1894
NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
1899
* If the client belongs to the same realm as our krbtgt, it
1900
* should exist in the local database.
1904
if (ret == HDB_ERR_NOENTRY)
1905
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1906
msg = krb5_get_error_message(context, ret);
1907
kdc_log(context, config, 1, "S2U4Self principal to impersonate %s not found in database: %s", cpn, msg);
1908
krb5_free_error_message(context, msg);
1911
ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p);
1913
kdc_log(context, config, 0, "PAC generation failed for -- %s",
1918
ret = _krb5_pac_sign(context, p, ticket->ticket.authtime,
1919
s4u2self_impersonated_client->entry.principal,
1920
ekey, &tkey_sign->key,
1922
krb5_pac_free(context, p);
1924
kdc_log(context, config, 0, "PAC signing failed for -- %s",
1744
1932
* Check that service doing the impersonating is
1745
1933
* requesting a ticket to it-self.
1747
if (krb5_principal_compare(context, cp, sp) != TRUE) {
1935
ret = check_s4u2self(context, config, clientdb, client, sp);
1748
1937
kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
1749
"to impersonate some other user "
1938
"to impersonate to service "
1750
1939
"(tried for user %s to service %s)",
1751
1940
cpn, selfcpn, spn);
1753
ret = KRB5KDC_ERR_BADOPTION; /* ? */