1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
/*
Unix SMB/CIFS implementation.
PAC Glue between Samba and the KDC
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
Copyright (C) Simo Sorce <idra@samba.org> 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
enum samba_asserted_identity {
SAMBA_ASSERTED_IDENTITY_IGNORE = 0,
SAMBA_ASSERTED_IDENTITY_SERVICE,
SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
};
enum {
SAMBA_KDC_FLAG_PROTOCOL_TRANSITION = 0x00000001,
SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002,
SAMBA_KDC_FLAG_KRBTGT_IN_DB = 0x00000004,
SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED = 0x00000008,
SAMBA_KDC_FLAG_SKIP_PAC_BUFFER = 0x00000010,
};
krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
const krb5_keyblock *pkreplykey,
const DATA_BLOB *cred_ndr_blob,
TALLOC_CTX *mem_ctx,
DATA_BLOB *cred_info_blob);
krb5_error_code samba_make_krb5_pac(krb5_context context,
const DATA_BLOB *logon_blob,
const DATA_BLOB *cred_blob,
const DATA_BLOB *upn_blob,
const DATA_BLOB *pac_attrs_blob,
const DATA_BLOB *requester_sid_blob,
const DATA_BLOB *deleg_blob,
krb5_pac pac);
bool samba_princ_needs_pac(struct samba_kdc_entry *skdc_entry);
int samba_client_requested_pac(krb5_context context,
const krb5_pac *pac,
TALLOC_CTX *mem_ctx,
bool *requested_pac);
int samba_krbtgt_is_in_db(struct samba_kdc_entry *skdc_entry,
bool *is_in_db,
bool *is_untrusted);
NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
struct ldb_message *msg,
struct auth_user_info_dc **user_info_dc);
NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
struct samba_kdc_entry *skdc_entry,
enum samba_asserted_identity asserted_identity,
DATA_BLOB **_logon_info_blob,
DATA_BLOB **_cred_ndr_blob,
DATA_BLOB **_upn_info_blob,
DATA_BLOB **_pac_attrs_blob,
uint64_t pac_attributes,
DATA_BLOB **_requester_sid_blob);
NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
krb5_context context,
struct ldb_context *samdb,
const krb5_pac pac, DATA_BLOB *pac_blob,
struct PAC_SIGNATURE_DATA *pac_srv_sig,
struct PAC_SIGNATURE_DATA *pac_kdc_sig);
NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,
krb5_context context,
const krb5_pac pac,
const krb5_principal server_principal,
const krb5_principal proxy_principal,
DATA_BLOB *pac_blob);
krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status);
NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
const char *client_name,
const char *workstation,
bool password_change);
krb5_error_code samba_kdc_validate_pac_blob(
krb5_context context,
struct samba_kdc_entry *client_skdc_entry,
const krb5_pac pac);
/*
* In the RODC case, to confirm that the returned user is permitted to
* be replicated to the KDC (krbgtgt_xxx user) represented by *rodc
*/
WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_sids,
struct dom_sid *sids,
struct samba_kdc_entry *rodc,
struct samba_kdc_entry *object);
krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
krb5_context context,
struct ldb_context *samdb,
uint32_t flags,
struct samba_kdc_entry *client,
const krb5_principal server_principal,
struct samba_kdc_entry *server,
struct samba_kdc_entry *krbtgt,
const krb5_principal delegated_proxy_principal,
const krb5_pac old_pac,
krb5_pac new_pac);
|
