From: Joseph Sutton Date: Tue, 15 Aug 2023 03:16:57 +0000 (+1200) Subject: s4:kdc: Remove support code for older versions of MIT Kerberos X-Git-Tag: tevent-0.16.0~875 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bbfa98ec05c800dfcd165e1159e1d595d90209f1;p=thirdparty%2Fsamba.git s4:kdc: Remove support code for older versions of MIT Kerberos The oldest version we now support is 1.21. For every supported version we can be certain that KRB5_KDB_API_VERSION >= 10 and KRB5_KDB_DAL_MAJOR_VERSION >= 9. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c index 0ff1bfe6c5c..e8fcfc87471 100644 --- a/source4/kdc/mit-kdb/kdb_samba.c +++ b/source4/kdc/mit-kdb/kdb_samba.c @@ -140,7 +140,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context, kdb_vftabl kdb_function_table = { .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, - .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0, + .min_ver = 0, .init_library = kdb_samba_init_library, .fini_library = kdb_samba_fini_library, @@ -173,10 +173,6 @@ kdb_vftabl kdb_function_table = { .free_principal_e_data = kdb_samba_db_free_principal_e_data, -#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 .allowed_to_delegate_from = kdb_samba_db_allowed_to_delegate_from, .issue_pac = kdb_samba_db_issue_pac, -#else - .sign_authdata = kdb_samba_db_sign_auth_data, -#endif }; diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index b5a2e25ec17..56bd0dd5f89 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -194,377 +194,6 @@ static krb5_error_code ks_get_pac(krb5_context context, return code; } -#if KRB5_KDB_DAL_MAJOR_VERSION < 9 -static krb5_error_code ks_verify_pac(krb5_context context, - unsigned int flags, - krb5_const_principal client_princ, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, - krb5_pac *pac) -{ - struct mit_samba_context *mit_ctx; - krb5_authdata **authdata = NULL; - krb5_pac ipac = NULL; - DATA_BLOB logon_data = { NULL, 0 }; - krb5_error_code code; - - mit_ctx = ks_get_context(context); - if (mit_ctx == NULL) { - return KRB5_KDB_DBNOTINITED; - } - - /* find the existing PAC, if present */ - code = krb5_find_authdata(context, - tgt_auth_data, - NULL, - KRB5_AUTHDATA_WIN2K_PAC, - &authdata); - if (code != 0) { - return code; - } - - /* no pac data */ - if (authdata == NULL) { - return 0; - } - - SMB_ASSERT(authdata[0] != NULL); - - if (authdata[1] != NULL) { - code = KRB5KDC_ERR_BADOPTION; /* XXX */ - goto done; - } - - code = krb5_pac_parse(context, - authdata[0]->contents, - authdata[0]->length, - &ipac); - if (code != 0) { - goto done; - } - - /* TODO: verify this is correct - * - * In the constrained delegation case, the PAC is from a service - * ticket rather than a TGT; we must verify the server and KDC - * signatures to assert that the server did not forge the PAC. - */ - if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - code = krb5_pac_verify(context, - ipac, - authtime, - client_princ, - server_key, - krbtgt_key); - } else { - code = krb5_pac_verify(context, - ipac, - authtime, - client_princ, - krbtgt_key, - NULL); - } - if (code != 0) { - goto done; - } - - /* check and update PAC */ - code = krb5_pac_parse(context, - authdata[0]->contents, - authdata[0]->length, - pac); - if (code != 0) { - goto done; - } - - code = mit_samba_reget_pac(mit_ctx, - context, - flags, - client_princ, - client, - server, - krbtgt, - krbtgt_key, - pac); - -done: - krb5_free_authdata(context, authdata); - krb5_pac_free(context, ipac); - free(logon_data.data); - - return code; -} - -krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - unsigned int flags, - krb5_const_principal client_princ, - krb5_const_principal server_princ, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_db_entry *local_krbtgt, - krb5_keyblock *client_key, - krb5_keyblock *server_key, - krb5_keyblock *krbtgt_key, - krb5_keyblock *local_krbtgt_key, - krb5_keyblock *session_key, - krb5_timestamp authtime, - krb5_authdata **tgt_auth_data, - void *authdata_info, - krb5_data ***auth_indicators, - krb5_authdata ***signed_auth_data) -{ - krb5_const_principal ks_client_princ = NULL; - krb5_db_entry *client_entry = NULL; - krb5_authdata **pac_auth_data = NULL; - krb5_authdata **authdata = NULL; - krb5_boolean is_as_req; - krb5_error_code code; - krb5_pac pac = NULL; - krb5_data pac_data; - bool with_pac = false; - bool generate_pac = false; - char *client_name = NULL; - - - krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; - krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; - - /* FIXME: We don't support S4U yet */ - if (flags & KRB5_KDB_FLAGS_S4U) { - return KRB5_KDB_DBTYPE_NOSUP; - } - - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); - - /* - * When using s4u2proxy client_princ actually refers to the proxied user - * while client->princ to the proxy service asking for the TGS on behalf - * of the proxied user. So always use client_princ in preference. - * - * Note that when client principal is not NULL, client entry might be - * NULL for cross-realm case, so we need to make sure to not - * dereference NULL pointer here. - */ - if (client_princ != NULL) { - ks_client_princ = client_princ; - if (!is_as_req) { - krb5_boolean is_equal = false; - - if (client != NULL && client->princ != NULL) { - is_equal = - krb5_principal_compare(context, - client_princ, - client->princ); - } - - /* - * When client principal is the same as supplied client - * entry, don't fetch it. - */ - if (!is_equal) { - code = ks_get_principal(context, - ks_client_princ, - 0, - &client_entry); - if (code != 0) { - (void)krb5_unparse_name(context, - ks_client_princ, - &client_name); - - DBG_DEBUG("We didn't find the client " - "principal [%s] in our " - "database.\n", - client_name); - SAFE_FREE(client_name); - - /* - * If we didn't find client_princ in our - * database it might be from another - * realm. - */ - client_entry = NULL; - } - } - } - } else { - if (client == NULL) { - *signed_auth_data = NULL; - return 0; - } - ks_client_princ = client->princ; - } - - if (client_entry == NULL) { - client_entry = client; - } - - if (is_as_req) { - with_pac = mit_samba_princ_needs_pac(client_entry); - } else { - with_pac = mit_samba_princ_needs_pac(server); - } - - code = krb5_unparse_name(context, - client_princ, - &client_name); - if (code != 0) { - goto done; - } - - if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC) != 0) { - generate_pac = true; - } - - DBG_DEBUG("*** Sign data for client principal: %s [%s %s%s]\n", - client_name, - is_as_req ? "AS-REQ" : "TGS_REQ", - with_pac ? is_as_req ? "WITH_PAC" : "FIND_PAC" : "NO_PAC", - generate_pac ? " GENERATE_PAC" : ""); - - /* - * Generate PAC for the AS-REQ or check or generate one for the TGS if - * needed. - */ - if (with_pac && generate_pac) { - DBG_DEBUG("Generate PAC for AS-REQ [%s]\n", client_name); - - code = krb5_pac_init(context, &pac); - if (code != 0) { - goto done; - } - - code = ks_get_pac(context, - flags, - client_entry, - server, - NULL, - &pac); - if (code != 0) { - goto done; - } - } else if (with_pac && !is_as_req) { - /* - * Find the PAC in the TGS, if one exists. - */ - code = krb5_find_authdata(context, - tgt_auth_data, - NULL, - KRB5_AUTHDATA_WIN2K_PAC, - &pac_auth_data); - if (code != 0) { - DBG_ERR("krb5_find_authdata failed: %d\n", code); - goto done; - } - DBG_DEBUG("Found PAC data for TGS-REQ [%s]\n", client_name); - - if (pac_auth_data != NULL && pac_auth_data[0] != NULL) { - if (pac_auth_data[1] != NULL) { - DBG_ERR("Invalid PAC data!\n"); - code = KRB5KDC_ERR_BADOPTION; - goto done; - } - - DBG_DEBUG("Verify PAC for TGS [%s]\n", - client_name); - - code = ks_verify_pac(context, - flags, - ks_client_princ, - client_entry, - server, - krbtgt, - server_key, - krbtgt_key, - authtime, - tgt_auth_data, - &pac); - if (code != 0) { - goto done; - } - } else { - if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - DBG_DEBUG("Generate PAC for constrained" - "delegation TGS [%s]\n", - client_name); - - code = krb5_pac_init(context, &pac); - if (code != 0) { - goto done; - } - - code = ks_get_pac(context, - flags, - client_entry, - server, - NULL, - &pac); - if (code != 0 && code != ENOENT) { - goto done; - } - } - } - } - - if (pac == NULL) { - DBG_DEBUG("No PAC data - we're done [%s]\n", client_name); - *signed_auth_data = NULL; - code = 0; - goto done; - } - - DBG_DEBUG("Signing PAC for %s [%s]\n", - is_as_req ? "AS-REQ" : "TGS-REQ", - client_name); - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, - server_key, krbtgt_key, &pac_data); - if (code != 0) { - DBG_ERR("krb5_pac_sign failed: %d\n", code); - goto done; - } - - authdata = calloc(2, sizeof(krb5_authdata *)); - if (authdata == NULL) { - goto done; - } - - authdata[0] = malloc(sizeof(krb5_authdata)); - if (authdata[0] == NULL) { - goto done; - } - - /* put in signed data */ - authdata[0]->magic = KV5M_AUTHDATA; - authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC; - authdata[0]->contents = (krb5_octet *)pac_data.data; - authdata[0]->length = pac_data.length; - - code = krb5_encode_authdata_container(context, - KRB5_AUTHDATA_IF_RELEVANT, - authdata, - signed_auth_data); - if (code != 0) { - goto done; - } - - code = 0; - -done: - if (client_entry != NULL && client_entry != client) { - ks_free_principal(context, client_entry); - } - SAFE_FREE(client_name); - krb5_free_authdata(context, authdata); - krb5_pac_free(context, pac); - - return code; -} -#else /* KRB5_KDB_DAL_MAJOR_VERSION >= 9 */ static krb5_error_code ks_update_pac(krb5_context context, int flags, krb5_db_entry *client, @@ -686,7 +315,6 @@ krb5_error_code kdb_samba_db_issue_pac(krb5_context context, return code; } -#endif /* KRB5_KDB_DAL_MAJOR_VERSION */ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, krb5_const_principal client, @@ -707,7 +335,6 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, } -#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 krb5_error_code kdb_samba_db_allowed_to_delegate_from( krb5_context context, krb5_const_principal client_principal, @@ -731,7 +358,6 @@ krb5_error_code kdb_samba_db_allowed_to_delegate_from( return code; } -#endif static void samba_bad_password_count(krb5_db_entry *client, diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 7b6158f1ed7..d99ca60fee8 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -220,15 +220,12 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, return ENOMEM; } -#if KRB5_KDB_API_VERSION >= 10 /* * The MIT KDC code that wants the canonical name in all lookups, and * takes care to canonicalize only when appropriate. */ sflags |= SDB_F_FORCE_CANON; -#endif -#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) { sflags |= SDB_F_CANON; } @@ -249,33 +246,6 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, sflags |= SDB_F_FOR_TGS_REQ; } } -#else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */ - if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { - sflags |= SDB_F_CANON; - } - if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | - KRB5_KDB_FLAG_INCLUDE_PAC)) { - /* - * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to - * SDB_F_FOR_AS_REQ - * - * We use ANY to also allow AS_REQ for service principal names - * This is supported by Windows. - */ - sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ; - } else { - int equal = smb_krb5_principal_is_tgs(ctx->context, principal); - if (equal == -1) { - return ENOMEM; - } - - if (equal) { - sflags |= SDB_F_GET_KRBTGT; - } else { - sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ; - } - } -#endif /* KRB5_KDB_DAL_MAJOR_VERSION */ /* always set this or the created_by data will not be populated by samba's * backend and we will fail to parse the entry later */ @@ -617,140 +587,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, return code; } -#if KRB5_KDB_DAL_MAJOR_VERSION < 9 -krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - krb5_context context, - int kdc_flags, - krb5_const_principal client_principal, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_db_entry *krbtgt, - krb5_keyblock *krbtgt_keyblock, - krb5_pac *pac) -{ - TALLOC_CTX *tmp_ctx; - krb5_error_code code; - struct samba_kdc_entry *client_skdc_entry = NULL; - struct samba_kdc_entry *krbtgt_skdc_entry = NULL; - struct samba_kdc_entry *server_skdc_entry = NULL; - struct samba_kdc_entry *delegated_proxy_entry = NULL; - krb5_principal delegated_proxy_principal = NULL; - krb5_pac new_pac = NULL; - bool is_in_db = false; - bool is_trusted = false; - uint32_t flags = SAMBA_KDC_FLAG_SKIP_PAC_BUFFER; - - /* Create a memory context early so code can use talloc_stackframe() */ - tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context"); - if (tmp_ctx == NULL) { - return ENOMEM; - } - - if (client != NULL) { - client_skdc_entry = - talloc_get_type_abort(client->e_data, - struct samba_kdc_entry); - } - - if (server == NULL) { - code = EINVAL; - goto done; - } - - server_skdc_entry = - talloc_get_type_abort(server->e_data, - struct samba_kdc_entry); - - if (krbtgt == NULL) { - code = EINVAL; - goto done; - } - krbtgt_skdc_entry = - talloc_get_type_abort(krbtgt->e_data, - struct samba_kdc_entry); - - code = samba_krbtgt_is_in_db(krbtgt_skdc_entry, - &is_in_db, - &is_trusted); - if (code != 0) { - goto done; - } - - if (is_trusted) { - flags |= SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED; - } - - if (is_in_db) { - flags |= SAMBA_KDC_FLAG_KRBTGT_IN_DB; - - } - - if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { - flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION; - } - - if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { - flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION; - delegated_proxy_entry = client_skdc_entry; - delegated_proxy_principal = discard_const(client_principal); - } - - code = samba_kdc_verify_pac(tmp_ctx, - context, - flags, - client_skdc_entry, - krbtgt_skdc_entry, - NULL /* device */, - NULL /* device_pac */, - *pac); - if (code != 0) { - goto done; - } - - /* Build an updated PAC */ - code = krb5_pac_init(context, &new_pac); - if (code != 0) { - goto done; - } - - code = samba_kdc_update_pac(tmp_ctx, - context, - krbtgt_skdc_entry->kdc_db_ctx->samdb, - krbtgt_skdc_entry->kdc_db_ctx->lp_ctx, - flags, - krbtgt_skdc_entry, - client_skdc_entry, - server->princ, - server_skdc_entry, - delegated_proxy_principal, - delegated_proxy_entry, - NULL /* delegated_proxy_pac */, - NULL /* device_krbtgt */, - NULL /* device */, - NULL /* device_pac */, - *pac, - new_pac, - NULL /* server_audit_info_out */, - NULL /* status_out */); - if (code != 0) { - krb5_pac_free(context, new_pac); - if (code == ENOATTR) { - krb5_pac_free(context, *pac); - *pac = NULL; - code = 0; - } - goto done; - } - - /* We now replace the pac */ - krb5_pac_free(context, *pac); - *pac = new_pac; - -done: - talloc_free(tmp_ctx); - return code; -} -#else krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, krb5_context context, int kdc_flags, @@ -871,7 +707,6 @@ done: talloc_free(tmp_ctx); return code; } -#endif /* provide header, function is exported but there are no public headers */ @@ -957,9 +792,6 @@ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, const krb5_db_entry *server, krb5_const_principal target_principal) { -#if KRB5_KDB_DAL_MAJOR_VERSION < 9 - return KRB5KDC_ERR_BADOPTION; -#else struct samba_kdc_entry *server_skdc_entry = talloc_get_type_abort(server->e_data, struct samba_kdc_entry); krb5_error_code code; @@ -970,7 +802,6 @@ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, target_principal); return code; -#endif } krb5_error_code mit_samba_check_allowed_to_delegate_from( @@ -980,9 +811,6 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from( krb5_pac header_pac, const krb5_db_entry *proxy) { -#if KRB5_KDB_DAL_MAJOR_VERSION < 8 - return KRB5KDC_ERR_POLICY; -#else struct samba_kdc_entry *proxy_skdc_entry = talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry); krb5_error_code code; @@ -995,7 +823,6 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from( proxy_skdc_entry); return code; -#endif } static krb5_error_code mit_samba_change_pwd_error(krb5_context context,