xref: /illumos-gate/usr/src/lib/smbsrv/libsmbns/common/smbns_ksetpwd.c (revision 2b24ab6b3865caeede9eeb9db6b83e1d89dcd1ea) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <strings.h>
31 #include <unistd.h>
32 #include <ctype.h>
33 #include <errno.h>
34 #include <syslog.h>
35 #include <netdb.h>
36 #include <sys/param.h>
37 #include <kerberosv5/krb5.h>
38 #include <kerberosv5/com_err.h>
39 
40 #include <smbsrv/libsmb.h>
41 #include <smbns_krb.h>
42 
43 static char *spn_prefix[] = {"host/", "nfs/", "HTTP/", "root/"};
44 
45 static int smb_krb5_open_wrfile(krb5_context ctx, char *fname,
46     krb5_keytab *kt);
47 static int smb_krb5_ktadd(krb5_context ctx, krb5_keytab kt,
48     const krb5_principal princ, krb5_enctype enctype, krb5_kvno kvno,
49     const char *pw);
50 
51 /*
52  * smb_krb5_get_spn
53  *
54  * Gets Service Principal Name.
55  * Caller must free the memory allocated for the spn.
56  */
57 char *
58 smb_krb5_get_spn(smb_krb5_spn_idx_t idx, char *fqhost)
59 {
60 	int len;
61 	char *princ;
62 	char *spn;
63 
64 	if (!fqhost)
65 		return (NULL);
66 
67 	if ((idx < 0) || (idx >= SMBKRB5_SPN_IDX_MAX))
68 		return (NULL);
69 
70 	spn = spn_prefix[idx];
71 	len = strlen(spn) + strlen(fqhost) + 1;
72 	princ = (char *)malloc(len);
73 
74 	if (!princ)
75 		return (NULL);
76 
77 	(void) snprintf(princ, len, "%s%s", spn, fqhost);
78 	return (princ);
79 }
80 
81 /*
82  * smb_krb5_get_upn
83  *
84  * Gets User Principal Name.
85  * Caller must free the memory allocated for the upn.
86  */
87 char *
88 smb_krb5_get_upn(char *spn, char *domain)
89 {
90 	int len;
91 	char *realm;
92 	char *upn;
93 
94 	if (!spn || !domain)
95 		return (NULL);
96 
97 	realm = strdup(domain);
98 	if (!realm)
99 		return (NULL);
100 
101 	(void) utf8_strupr(realm);
102 
103 	len = strlen(spn) + 1 + strlen(realm) + 1;
104 	upn = (char *)malloc(len);
105 	if (!upn) {
106 		free(realm);
107 		return (NULL);
108 	}
109 
110 	(void) snprintf(upn, len, "%s@%s", spn, realm);
111 	free(realm);
112 
113 	return (upn);
114 }
115 
116 /*
117  * smb_krb5_get_host_upn
118  *
119  * Derives UPN by the given fully-qualified hostname.
120  * Caller must free the memory allocated for the upn.
121  */
122 static char *
123 smb_krb5_get_host_upn(const char *fqhn)
124 {
125 	char *upn;
126 	char *realm;
127 	char *dom;
128 	int len;
129 
130 	if ((dom = strchr(fqhn, '.')) == NULL)
131 		return (NULL);
132 
133 	if ((realm = strdup(++dom)) == NULL)
134 		return (NULL);
135 
136 	(void) utf8_strupr(realm);
137 
138 	len = strlen(spn_prefix[SMBKRB5_SPN_IDX_HOST]) + strlen(fqhn) +
139 	    + 1 + strlen(realm) + 1;
140 	if ((upn = malloc(len)) == NULL) {
141 		free(realm);
142 		return (NULL);
143 	}
144 
145 	(void) snprintf(upn, len, "%s%s@%s", spn_prefix[SMBKRB5_SPN_IDX_HOST],
146 	    fqhn, realm);
147 
148 	free(realm);
149 	return (upn);
150 }
151 
152 /*
153  * smb_krb5_ctx_init
154  *
155  * Initialize the kerberos context.
156  * Return 0 on success. Otherwise, return -1.
157  */
158 int
159 smb_krb5_ctx_init(krb5_context *ctx)
160 {
161 	if (krb5_init_context(ctx) != 0)
162 		return (-1);
163 
164 	return (0);
165 }
166 
167 /*
168  * smb_krb5_get_principals
169  *
170  * Setup the krb5_principal array given the principals in string format.
171  * Return 0 on success. Otherwise, return -1.
172  */
173 int
174 smb_krb5_get_principals(char *domain, krb5_context ctx,
175     krb5_principal *krb5princs)
176 {
177 	char fqhn[MAXHOSTNAMELEN];
178 	int i;
179 	char *spn, *upn;
180 
181 	if (smb_gethostname(fqhn, MAXHOSTNAMELEN, 0) != 0)
182 			return (-1);
183 
184 	(void) snprintf(fqhn, MAXHOSTNAMELEN, "%s.%s", fqhn,
185 	    domain);
186 
187 	for (i = 0; i < SMBKRB5_SPN_IDX_MAX; i++) {
188 
189 		if ((spn = smb_krb5_get_spn(i, fqhn)) == NULL) {
190 			return (-1);
191 		}
192 
193 		upn = smb_krb5_get_upn(spn, domain);
194 		free(spn);
195 
196 		if (krb5_parse_name(ctx, upn, &krb5princs[i]) != 0) {
197 			smb_krb5_free_principals(ctx, krb5princs, i - 1);
198 			free(upn);
199 			return (-1);
200 		}
201 		free(upn);
202 	}
203 	return (0);
204 }
205 
206 void
207 smb_krb5_free_principals(krb5_context ctx, krb5_principal *krb5princs,
208     size_t num)
209 {
210 	int i;
211 
212 	for (i = 0; i < num; i++)
213 		krb5_free_principal(ctx, krb5princs[i]);
214 }
215 
216 /*
217  * smb_krb5_ctx_fini
218  *
219  * Free the kerberos context.
220  */
221 void
222 smb_krb5_ctx_fini(krb5_context ctx)
223 {
224 	krb5_free_context(ctx);
225 }
226 
227 /*
228  * smb_ksetpw
229  *
230  * Set the workstation trust account password.
231  * Returns 0 on success.  Otherwise, returns non-zero value.
232  */
233 int
234 smb_krb5_setpwd(krb5_context ctx, krb5_principal princ, char *passwd)
235 {
236 	krb5_error_code code;
237 	krb5_ccache cc = NULL;
238 	int result_code;
239 	krb5_data result_code_string, result_string;
240 
241 	(void) memset(&result_code_string, 0, sizeof (result_code_string));
242 	(void) memset(&result_string, 0, sizeof (result_string));
243 
244 	if ((code = krb5_cc_default(ctx, &cc)) != 0) {
245 		syslog(LOG_ERR, "smb_krb5_setpwd: failed to find a ccache\n");
246 		return (-1);
247 	}
248 
249 	code = krb5_set_password_using_ccache(ctx, cc, passwd, princ,
250 	    &result_code, &result_code_string, &result_string);
251 
252 	krb5_cc_close(ctx, cc);
253 
254 	if (code != 0)
255 		(void) syslog(LOG_ERR,
256 		    "smb_krb5_setpwd: Result: %.*s (%d) %.*s\n",
257 		    result_code == 0 ?
258 		    strlen("success") : result_code_string.length,
259 		    result_code == 0 ? "success" : result_code_string.data,
260 		    result_code, result_string.length, result_string.data);
261 
262 	free(result_code_string.data);
263 	free(result_string.data);
264 	return (code);
265 }
266 
267 /*
268  * smb_krb5_open_wrfile
269  *
270  * Open the keytab file for writing.
271  * The keytab should be closed by calling krb5_kt_close().
272  */
273 static int
274 smb_krb5_open_wrfile(krb5_context ctx, char *fname, krb5_keytab *kt)
275 {
276 	char *ktname;
277 	int len;
278 
279 	*kt = NULL;
280 	len = snprintf(NULL, 0, "WRFILE:%s", fname) + 1;
281 	if ((ktname = malloc(len)) == NULL) {
282 		syslog(LOG_ERR, "smb_krb5_write_keytab: resource shortage");
283 		return (-1);
284 	}
285 
286 	(void) snprintf(ktname, len, "WRFILE:%s", fname);
287 
288 	if (krb5_kt_resolve(ctx, ktname, kt) != 0) {
289 		syslog(LOG_ERR, "smb_krb5_write_keytab: failed to open/create "
290 		    "keytab %s\n", fname);
291 		free(ktname);
292 		return (-1);
293 	}
294 
295 	free(ktname);
296 	return (0);
297 }
298 
299 /*
300  * smb_krb5_add_keytab_entries
301  *
302  * Update the keys for the specified principal in the keytab.
303  * Returns 0 on success.  Otherwise, returns -1.
304  */
305 int
306 smb_krb5_add_keytab_entries(krb5_context ctx, krb5_principal *princs,
307     char *fname, krb5_kvno kvno, char *passwd, krb5_enctype *enctypes,
308     int enctype_count)
309 {
310 	krb5_keytab kt = NULL;
311 	int i, j;
312 
313 	if (smb_krb5_open_wrfile(ctx, fname, &kt) != 0)
314 		return (-1);
315 
316 	for (j = 0; j < SMBKRB5_SPN_IDX_MAX; j++) {
317 		for (i = 0; i < enctype_count; i++) {
318 			if (smb_krb5_ktadd(ctx, kt, princs[j], enctypes[i],
319 			    kvno, passwd) != 0) {
320 				krb5_kt_close(ctx, kt);
321 				return (-1);
322 			}
323 		}
324 
325 	}
326 	krb5_kt_close(ctx, kt);
327 	return (0);
328 }
329 
330 boolean_t
331 smb_krb5_find_keytab_entries(const char *fqhn, char *fname)
332 {
333 	krb5_context ctx;
334 	krb5_keytab kt;
335 	krb5_keytab_entry entry;
336 	krb5_principal princ;
337 	char ktname[MAXPATHLEN];
338 	char *upn;
339 	boolean_t found = B_FALSE;
340 
341 	if (!fqhn || !fname)
342 		return (found);
343 
344 	if ((upn = smb_krb5_get_host_upn((char *)fqhn)) == NULL)
345 		return (found);
346 
347 	if (smb_krb5_ctx_init(&ctx) != 0) {
348 		free(upn);
349 		return (found);
350 	}
351 
352 	if (krb5_parse_name(ctx, upn, &princ) != 0) {
353 		free(upn);
354 		smb_krb5_ctx_fini(ctx);
355 		return (found);
356 	}
357 
358 	free(upn);
359 	(void) snprintf(ktname, MAXPATHLEN, "FILE:%s", fname);
360 	if (krb5_kt_resolve(ctx, ktname, &kt) == 0) {
361 		if (krb5_kt_get_entry(ctx, kt, princ, 0, 0, &entry) == 0) {
362 			found = B_TRUE;
363 			krb5_kt_free_entry(ctx, &entry);
364 		}
365 
366 		krb5_kt_close(ctx, kt);
367 	}
368 
369 	krb5_free_principal(ctx, princ);
370 	smb_krb5_ctx_fini(ctx);
371 	return (found);
372 }
373 
374 /*
375  * smb_krb5_ktadd
376  *
377  * Add a Keberos key to the keytab file.
378  * Returns 0 on success. Otherwise, returns -1.
379  */
380 static int
381 smb_krb5_ktadd(krb5_context ctx, krb5_keytab kt, const krb5_principal princ,
382 	krb5_enctype enctype, krb5_kvno kvno, const char *pw)
383 {
384 	krb5_keytab_entry *entry;
385 	krb5_data password, salt;
386 	krb5_keyblock key;
387 	krb5_error_code code;
388 	char buf[100];
389 	int rc = 0;
390 
391 	if ((code = krb5_enctype_to_string(enctype, buf, sizeof (buf)))) {
392 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: unknown enctype",
393 		    enctype);
394 		return (-1);
395 	}
396 
397 	if ((entry = (krb5_keytab_entry *) malloc(sizeof (*entry))) == NULL) {
398 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: resource shortage",
399 		    enctype);
400 		return (-1);
401 	}
402 
403 	(void) memset((char *)entry, 0, sizeof (*entry));
404 
405 	password.length = strlen(pw);
406 	password.data = (char *)pw;
407 
408 	if ((code = krb5_principal2salt(ctx, princ, &salt)) != 0) {
409 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: failed to compute salt",
410 		    enctype);
411 		free(entry);
412 		return (-1);
413 	}
414 
415 	code = krb5_c_string_to_key(ctx, enctype, &password, &salt, &key);
416 	krb5_xfree(salt.data);
417 	if (code != 0) {
418 		syslog(LOG_ERR, "smb_krb5_ktadd[%d]: failed to generate key",
419 		    enctype);
420 		free(entry);
421 		return (-1);
422 	}
423 
424 	(void) memcpy(&entry->key, &key, sizeof (krb5_keyblock));
425 	entry->vno = kvno;
426 	entry->principal = princ;
427 
428 	if ((code = krb5_kt_add_entry(ctx, kt, entry)) != 0) {
429 		syslog(LOG_ERR, "smb_krb5_ktadd[%d] failed to add entry to "
430 		    "keytab (%d)", enctype, code);
431 		rc = -1;
432 	}
433 
434 	free(entry);
435 	if (key.length)
436 		krb5_free_keyblock_contents(ctx, &key);
437 	return (rc);
438 }
439