<!ENTITY pathconfig.SAMBA_DATADIR '\${prefix}/var/samba'>
<!ENTITY pathconfig.CTDB_DATADIR '\${prefix}/share/ctdb'>
<!ENTITY pathconfig.CONFIGFILE '\${prefix}/etc/smb.conf'>
+<!ENTITY pathconfig.HIMMELBLAUD_HSM_PIN_PATH '\${prefix}/var/lib/himmelblaud/hsm-pin'>
"
--- /dev/null
+<samba:parameter name="himmelblaud hsm pin path"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Specifies the file path where the HSM PIN is stored. This PIN is used
+ for unlocking TPM objects required for Azure Entra ID authentication. The HSM
+ PIN is critical for ensuring secure communication and authentication within
+ the Himmelblaud daemon.</para>
+</description>
+
+<value type="default">&pathconfig.HIMMELBLAUD_HSM_PIN_PATH;</value>
+</samba:parameter>
DEFINE_DYN_CONFIG_PARAM(PYTHONDIR)
DEFINE_DYN_CONFIG_PARAM(PYTHONARCHDIR)
DEFINE_DYN_CONFIG_PARAM(SCRIPTSBINDIR)
+DEFINE_DYN_CONFIG_PARAM(HIMMELBLAUD_HSM_PIN_PATH)
DEFINE_DYN_CONFIG_PROTO(PYTHONDIR)
DEFINE_DYN_CONFIG_PROTO(PYTHONARCHDIR)
DEFINE_DYN_CONFIG_PROTO(SCRIPTSBINDIR)
+DEFINE_DYN_CONFIG_PROTO(HIMMELBLAUD_HSM_PIN_PATH)
'HELPTEXT': 'Where to put the smbpasswd file',
'DELAY': True,
},
+ 'HIMMELBLAUD_HSM_PIN_PATH': {
+ 'STD-PATH': '${LOCALSTATEDIR}/lib/himmelblaud/hsm-pin',
+ 'FHS-PATH': '${LOCALSTATEDIR}/lib/himmelblaud/hsm-pin',
+ 'OPTION': '--with-himmelblaud-hsm-pin-path',
+ 'HELPTEXT': 'Where to store the hsm pin',
+ 'DELAY': True,
+ },
}
def options(opt):
"AD DC only");
/* Set the default Himmelblaud globals */
+ lpcfg_do_global_parameter(lp_ctx,
+ "himmelblaud hsm pin path",
+ get_dyn_HIMMELBLAUD_HSM_PIN_PATH());
lpcfg_do_global_parameter(lp_ctx,
"himmelblaud hello enabled",
"false");
})
}
- pub(crate) fn hsm_pin_fetch_or_create(
- &mut self,
- ) -> Result<AuthValue, Box<NTSTATUS>> {
- let hsm_pin = match self.cache.fetch_str("auth_value") {
- Some(hsm_pin) => hsm_pin,
- None => {
- let auth_str = match AuthValue::generate() {
- Ok(auth_str) => auth_str,
- Err(e) => {
- DBG_ERR!("Failed to create hsm pin: {:?}", e);
- return Err(Box::new(NT_STATUS_UNSUCCESSFUL));
- }
- };
- self.cache.store_bytes("auth_value", auth_str.as_bytes())?;
- auth_str
- }
- };
- match AuthValue::try_from(hsm_pin.as_bytes()) {
- Ok(auth_value) => Ok(auth_value),
- Err(e) => {
- DBG_ERR!("Invalid hsm pin: {:?}", e);
- return Err(Box::new(NT_STATUS_UNSUCCESSFUL));
- }
- }
- }
-
pub(crate) fn loadable_machine_key_fetch_or_create(
&mut self,
hsm: &mut BoxedDynTpm,
};
// Check for and create the hsm pin if required.
- let auth_value = match pcache.hsm_pin_fetch_or_create() {
- Ok(auth_value) => auth_value,
- Err(e) => {
- DBG_ERR!("{:?}", e);
+ let hsm_pin_path = match lp.himmelblaud_hsm_pin_path() {
+ Ok(Some(hsm_pin_path)) => hsm_pin_path,
+ _ => {
+ DBG_ERR!("Failed loading hsm pin path.");
return ExitCode::FAILURE;
}
};
+ let auth_value =
+ match utils::hsm_pin_fetch_or_create(&hsm_pin_path).await {
+ Ok(auth_value) => auth_value,
+ Err(e) => {
+ DBG_ERR!("{:?}", e);
+ return ExitCode::FAILURE;
+ }
+ };
// Setup the HSM and its machine key
let mut hsm: BoxedDynTpm = BoxedDynTpm::new(SoftTpm::new());
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+use dbg::{DBG_ERR, DBG_INFO};
+use kanidm_hsm_crypto::AuthValue;
use ntstatus_gen::*;
+use std::path::PathBuf;
+use std::str::FromStr;
+use tokio::fs::File;
+use tokio::io::AsyncReadExt;
pub fn split_username(
username: &str,
}
Err(Box::new(NT_STATUS_INVALID_USER_PRINCIPAL_NAME))
}
+
+pub(crate) async fn hsm_pin_fetch_or_create(
+ hsm_pin_path: &str,
+) -> Result<AuthValue, Box<NTSTATUS>> {
+ let auth_value = if !PathBuf::from_str(hsm_pin_path)
+ .map_err(|e| {
+ DBG_ERR!("Failed to create hsm pin: {:?}", e);
+ Box::new(NT_STATUS_UNSUCCESSFUL)
+ })?
+ .exists()
+ {
+ let auth_value = AuthValue::generate().map_err(|e| {
+ DBG_ERR!("Failed to create hsm pin: {:?}", e);
+ Box::new(NT_STATUS_UNSUCCESSFUL)
+ })?;
+ std::fs::write(hsm_pin_path, auth_value.clone()).map_err(|e| {
+ DBG_ERR!("Failed to write hsm pin: {:?}", e);
+ Box::new(NT_STATUS_UNSUCCESSFUL)
+ })?;
+
+ DBG_INFO!("Generated new HSM pin");
+ auth_value
+ } else {
+ let mut file = File::open(hsm_pin_path).await.map_err(|e| {
+ DBG_ERR!("Failed to read hsm pin: {:?}", e);
+ Box::new(NT_STATUS_UNSUCCESSFUL)
+ })?;
+ let mut auth_value = vec![];
+ file.read_to_end(&mut auth_value).await.map_err(|e| {
+ DBG_ERR!("Failed to read hsm pin: {:?}", e);
+ Box::new(NT_STATUS_UNSUCCESSFUL)
+ })?;
+ std::str::from_utf8(&auth_value)
+ .map_err(|e| {
+ DBG_ERR!("Failed to read hsm pin: {:?}", e);
+ Box::new(NT_STATUS_UNSUCCESSFUL)
+ })?
+ .to_string()
+ };
+ AuthValue::try_from(auth_value.as_bytes()).map_err(|e| {
+ DBG_ERR!("Invalid hsm pin: {:?}", e);
+ Box::new(NT_STATUS_UNSUCCESSFUL)
+ })
+}
lpcfg_str!(cache_directory);
lpcfg_str!(template_homedir);
lpcfg_str!(template_shell);
+ lpcfg_str!(himmelblaud_hsm_pin_path);
}
unsafe impl Send for LoadParm {}
Globals.acl_claims_evaluation = ACL_CLAIMS_EVALUATION_AD_DC_ONLY;
/* Set the default Himmelblaud globals */
+ lpcfg_string_set(Globals.ctx,
+ &Globals.himmelblaud_hsm_pin_path,
+ get_dyn_HIMMELBLAUD_HSM_PIN_PATH());
Globals.himmelblaud_hello_enabled = false;
Globals.himmelblaud_sfa_fallback = false;
projects / thirdparty / samba.git / commitdiff
