/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>
#include <ctype.h>
#include <errno.h>
#include <syslog.h>
#include <netdb.h>
#include <kerberosv5/krb5.h>
#include <kerberosv5/com_err.h>
#include <smbsrv/libsmbns.h>
#include <smbns_krb.h>
/*
* Kerberized services available on the system.
*/
/*
* Service keys are salted with the SMB_KRB_PN_ID_ID_SALT prinipal
* name.
*/
/*
* to request the CIFS service.
*/
/* NFS */
/* HTTP */
/* ROOT */
};
#define SMB_KRB5_SPN_TAB_SZ \
(sizeof (smb_krb5_pn_tab) / sizeof (smb_krb5_pn_tab[0]))
static int smb_krb5_spn_count(uint32_t);
const char *, krb5_principal *);
static int smb_krb5_kt_remove_by_fqdn(krb5_context, char *);
/*
* Generates a null-terminated array of principal names that
* represents the list of the available Kerberized services
* of the specified type (SPN attribute, UPN attribute, or
* keytab entry).
*
* Returns the number of principal names returned via the 1st
* output parameter (i.e. vals).
*
* Caller must invoke smb_krb5_free_spns to free the allocated
* memory when finished.
*/
{
int cnt, i;
return (0);
return (0);
tabent = &smb_krb5_pn_tab[i];
break;
continue;
"smbns_kpasswd: failed to obtain principal names:"
" possible transient memory shortage");
return (0);
}
}
}
void
{
int i;
return;
}
/*
* The format of SMBNS_KRB5_KEYTAB_ENV is
* [[<kt type>:]<absolute path of the keytab file>] where <kt type> can be
* FILE or WRFILE. This function gets the absolute path of the keytab file by
* stripping off the <kt type>.
*/
char *
smb_krb5_kt_getpath(void)
{
char *p, *path;
return (SMBNS_KRB5_KEYTAB);
path = ++p;
return (path);
}
/*
* Update keytab file during startup if keys that SMB service relies on
* are missing from the keytab. If keytab file doesn't exist, create one
* and add keys for all SPNs of the specified domain to the keytab file.
*/
int
{
int i;
int rc;
char *path;
"smbns_kpasswd: unable to obtain machine password");
return (-1);
}
"Kerberos context initialization failed");
return (-1);
}
path = smb_krb5_kt_getpath();
== 0) {
rc = -1;
goto cleanup;
}
} else {
&spns)) != 0) {
rc = -1;
goto cleanup;
}
rc = 0;
goto cleanup;
}
}
"smbns_kpasswd(%s: %s): key removal failed",
rc = -1;
goto cleanup;
}
}
"smbns_kpasswd(%s): key addition failed",
rc = -1;
goto cleanup;
}
rc = 0;
return (rc);
}
/*
* Update keytab file during domain join.
* Prior to adding new key set for the specified AD domain, any old key sets
* for the specified domain will be removed.
*
* Pre-condition: fqdn and passwd input parameters have already been validated
* to be non-NULL.
*/
int
{
char *path;
int rc = 0;
"Kerberos context initialization failed");
return (-1);
}
return (-1);
}
return (-1);
}
path = smb_krb5_kt_getpath();
"smbns_kpasswd(%s: %s): key addition failed",
rc = -1;
}
return (rc);
}
/*
* Wrapper function to call smb_krb5_kt_remove_by_fqdn.
* The intent is to hide the Kerberos context from the API consumer.
*/
int
{
int rc = 0;
"Failed to initiate Kerberos context");
return (-1);
}
rc = -1;
return (rc);
}
/*
* Set the workstation trust account password.
* Returns 0 on success. Otherwise, returns non-zero value.
*/
int
{
int result_code = 0;
int rc = 0;
"smbns_kpasswd: Failed to initialize Kerberos context");
return (-1);
}
return (-1);
}
if (code != 0) {
"smbns_kpasswd: failed to find %s",
return (-1);
}
if (code != 0) {
"smbns_kpasswd: KPASSWD protocol exchange failed (%.*s)",
rc = -1;
}
if (result_code != 0) {
rc = -1;
}
return (rc);
}
/*
* Derives the Kerberos realm from the specified fqdn, and removes
* all keytab entries associated with that realm from the keytab file.
*/
static int
{
return (-1);
return (-1);
return (0);
if (kerr != 0) {
path = smb_krb5_kt_getpath();
"smbns_kpasswd(%s: %s): key removal failed",
return (-1);
}
return (0);
}
/*
* Returns the set of missing service principals that are required for CIFS
* Service Kerberos authentication via the output parameter 'set'.
* Caller must invoke smb_krb5_free_spns to free the allocated memory when
* finished.
*/
static krb5_error_code
{
int i;
char *svcprinc;
return (EINVAL);
return (ENOMEM);
tabent = &smb_krb5_pn_tab[i];
continue;
"smbns_kpasswd(%d): key verification skipped",
continue;
}
&valid)) != 0) {
"smbns_kpasswd(%s): key verification failed",
svcprinc);
continue;
}
if (valid)
else
}
return (rc);
}
{
return (found);
"smbns_kpasswd: Kerberos context initialization failed");
return (found);
}
&princ) != 0) {
return (found);
}
}
}
return (found);
}
static int
{
int i, cnt;
for (i = 0, cnt = 0; i < SMB_KRB5_SPN_TAB_SZ; i++) {
cnt++;
}
return (cnt);
}
/*
* Generate the Kerberos Principal given a principal name format and the
* fully qualified domain name. On success, caller must free the allocated
* memory by calling krb5_free_principal().
*/
static int
{
char *buf;
return (-1);
return (-1);
}
return (0);
}
/*
* Looks up an entry in the principal name table given the ID.
*/
static smb_krb5_pn_t *
{
int i;
for (i = 0; i < SMB_KRB5_SPN_TAB_SZ; i++) {
tabent = &smb_krb5_pn_tab[i];
return (tabent);
}
return (NULL);
}
/*
* Construct the principal name given an ID, the requested type, and the
* fully-qualified name of the domain of which the principal is a member.
*/
char *
const char *ad_domain)
{
char *buf;
return (NULL);
/* detect inconsistent requested format and type */
return (NULL);
switch (id) {
case SMB_KRB5_PN_ID_SALT:
break;
case SMB_KRB5_PN_ID_HOST_FQHN:
case SMB_KRB5_PN_ID_CIFS_FQHN:
case SMB_KRB5_PN_ID_NFS_FQHN:
case SMB_KRB5_PN_ID_HTTP_FQHN:
case SMB_KRB5_PN_ID_ROOT_FQHN:
break;
break;
case SMB_KRB5_PN_ID_SAM_ACCT:
break;
}
/*
* If the requested principal is either added to keytab / the machine
* account as the UPN attribute or used for key salt generation,
* the principal name must have the @<REALM> portion.
*/
return (NULL);
}
(void) smb_strupr(realm);
char *tmp;
realm);
}
}
return (buf);
}