krb5_child.c revision f5db13d4462faa531c9924181f0fd51364647e2d
d5fe06af711a6912ae028ebf873eada4ee8733f8Christian Maeder Kerberos 5 Backend Module -- tgt_req and changepw child
34bff097c14521b5e57ce37279a34256e1f78aa5Klaus Luettich Sumit Bose <sbose@redhat.com>
698573ebc6be4bd63c295a3704fd9459a0c6699cChristian Maeder Copyright (C) 2009-2010 Red Hat
f3a94a197960e548ecd6520bb768cb0d547457bbChristian Maeder This program is free software; you can redistribute it and/or modify
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers it under the terms of the GNU General Public License as published by
698573ebc6be4bd63c295a3704fd9459a0c6699cChristian Maeder the Free Software Foundation; either version 3 of the License, or
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers (at your option) any later version.
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers This program is distributed in the hope that it will be useful,
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers but WITHOUT ANY WARRANTY; without even the implied warranty of
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers GNU General Public License for more details.
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers You should have received a copy of the GNU General Public License
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers along with this program. If not, see <http://www.gnu.org/licenses/>.
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder#define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic krb5_error_code set_lifetime_options(krb5_get_init_creds_opt *options)
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder lifetime_str = getenv(SSSD_KRB5_RENEWABLE_LIFETIME);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CONF_SETTINGS, "Cannot read [%s] from environment.\n",
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers /* Unset option flag to make sure defaults from krb5.conf are used. */
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder kerr = krb5_string_to_deltat(lifetime_str, &lifetime);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers "krb5_string_to_deltat failed for [%s].\n",
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n",
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SSSD_KRB5_RENEWABLE_LIFETIME, lifetime_str);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder krb5_get_init_creds_opt_set_renew_life(options, lifetime);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder DEBUG(SSSDBG_CONF_SETTINGS, "Cannot read [%s] from environment.\n",
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* Unset option flag to make sure defaults from krb5.conf are used. */
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_TKT_LIFE);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kerr = krb5_string_to_deltat(lifetime_str, &lifetime);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "krb5_string_to_deltat failed for [%s].\n",
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder "%s is set to [%s]\n", SSSD_KRB5_LIFETIME, lifetime_str);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maederstatic void set_canonicalize_option(krb5_get_init_creds_opt *opts)
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder DEBUG(SSSDBG_CONF_SETTINGS, "%s is set to [%s]\n",
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set");
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic void set_changepw_options(krb5_get_init_creds_opt *options)
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers krb5_get_init_creds_opt_set_forwardable(options, 0);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder krb5_get_init_creds_opt_set_proxiable(options, 0);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers krb5_get_init_creds_opt_set_renew_life(options, 0);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
fea14169cb07365fe4d12fea734d7b761ea8b287Christian Maederstatic void revert_changepw_options(krb5_get_init_creds_opt *options)
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers /* Currently we do not set forwardable and proxiable explicitly, the flags
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers * must be removed so that libkrb5 can take the defaults from krb5.conf */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_FORWARDABLE);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_PROXIABLE);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder DEBUG(SSSDBG_OP_FAILURE, ("set_lifetime_options failed.\n"));
42c01284bba8d7c8d995c8dfb96ace57d28ed1bcTill Mossakowskistatic errno_t sss_send_pac(krb5_authdata **pac_authdata)
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder if (ret != NSS_STATUS_SUCCESS || errnop != 0) {
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_OP_FAILURE, "sss_pac_make_request failed [%d][%d].\n",
6c4ee04931dded62728f3a9954b2799beed536e9Christian Maederstatic void sss_krb5_expire_callback_func(krb5_context context, void *data,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder struct krb5_req *kr = talloc_get_type(data, struct krb5_req);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder DEBUG(SSSDBG_CRIT_FAILURE, "Time to expire out of range.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_TRACE_INTERNAL, "exp_time: [%ld]\n", exp_time);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, 2 * sizeof(uint32_t),
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder * TODO: These features generally would requires a significant refactoring
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * of SSSD and MIT krb5 doesn't support them anyway. They are listed here
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers * simply as a reminder of things that might become future feature potential.
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers * 1. tokeninfo selection
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * 3. discreet token/pin prompting
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers * 4. interactive otp format correction
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroedertypedef int (*checker)(int c);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder case KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder case KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maederstatic krb5_error_code tokeninfo_matches_2fa(TALLOC_CTX *mem_ctx,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) {
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers /* This is a non-sensical value. */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) {
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder if (ti->length > 0 && ti->length != fa2_len) {
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "Expected [%d] and given [%zu] token size "
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) {
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) {
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder pin = talloc_strndup(mem_ctx, fa1, fa1_len);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder talloc_set_destructor(pin, token_pin_destructor);
42c01284bba8d7c8d995c8dfb96ace57d28ed1bcTill Mossakowski token = talloc_strndup(mem_ctx, fa2, fa2_len);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder talloc_set_destructor(token, token_pin_destructor);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder token = talloc_asprintf(mem_ctx, "%s%s", fa1, fa2);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder talloc_set_destructor(token, token_pin_destructor);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder /* Assuming PIN only required */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder pin = talloc_strndup(mem_ctx, fa1, fa1_len);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder talloc_set_destructor(pin, token_pin_destructor);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* If check is set, we need to verify the contents of the token. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder for (i = 0; check != NULL && token[i] != '\0'; i++) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code tokeninfo_matches_pwd(TALLOC_CTX *mem_ctx,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) {
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* This is a non-sensical value. */
9271474a25bfadbf6d91b82ec60f614fb0dff492Christian Maeder if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) {
9271474a25bfadbf6d91b82ec60f614fb0dff492Christian Maeder /* ASSUMPTION: authtok has one of the following formats:
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * 1. TokenValue
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * 2. PIN+TokenValue
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder talloc_set_destructor(token, token_pin_destructor);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* If the server desires a separate pin, we will split it.
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder * ASSUMPTION: Format of authtok is PIN+TokenValue. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Copy the PIN from the front of the value. */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder pin = talloc_strndup(NULL, pwd, len - ti->length);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder talloc_set_destructor(pin, token_pin_destructor);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Remove the PIN from the front of the token value. */
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder memmove(token, token + len - ti->length, ti->length + 1);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder if (ti->length > 0 && ti->length != len) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder talloc_set_destructor(pin, token_pin_destructor);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* If check is set, we need to verify the contents of the token. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder for (i = 0; check != NULL && token[i] != '\0'; i++) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder const krb5_responder_otp_tokeninfo *ti,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder ret = sss_authtok_get_password(auth_tok, &pwd, &len);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder ret = sss_authtok_get_2fa(auth_tok, &pwd, &len, &fa2, &fa2_len);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_2fa failed.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder return tokeninfo_matches_2fa(mem_ctx, ti, pwd, len, fa2, fa2_len,
e07538a3c4dbc690e57f61aded6db89d876b2374Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code answer_otp(krb5_context ctx,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = krb5_responder_otp_get_challenge(ctx, rctx, &chl);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Either an error, or nothing to do. */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder if (chl->tokeninfo == NULL || chl->tokeninfo[0] == NULL) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* No tokeninfos? Absurd! */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder for (i = 0; chl->tokeninfo[i] != NULL; i++) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_ALL, "[%zu] Vendor [%s].\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_ALL, "[%zu] Token-ID [%s].\n",
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_TRACE_ALL, "[%zu] Challenge [%s].\n",
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_TRACE_ALL, "[%zu] Flags [%d].\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kr->otp_vendor = talloc_strdup(kr, chl->tokeninfo[0]->vendor);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kr->otp_token_id = talloc_strdup(kr, chl->tokeninfo[0]->token_id);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder if (chl->tokeninfo[0]->challenge != NULL) {
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kr->otp_challenge = talloc_strdup(kr, chl->tokeninfo[0]->challenge);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Allocation errors are ignored on purpose */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_INTERNAL, "Exit answer_otp during pre-auth.\n");
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder /* Find the first supported tokeninfo which matches our authtoken. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder for (i = 0; chl->tokeninfo[i] != NULL; i++) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = tokeninfo_matches(kr, chl->tokeninfo[i], kr->pd->authtok,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "No tokeninfos found which match our credentials.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder if (chl->tokeninfo[i]->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Don't let SSSD cache the OTP authtok since it is single-use. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = pam_add_response(kr->pd, SSS_OTP, 0, NULL);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* Respond with the appropriate answer. */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder ret = krb5_responder_otp_set_answer(ctx, rctx, i, token, pin);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder krb5_responder_otp_challenge_free(ctx, rctx, chl);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic krb5_error_code sss_krb5_responder(krb5_context ctx,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder struct krb5_req *kr = talloc_get_type(data, struct krb5_req);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code sss_krb5_prompter(krb5_context context, void *data,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder const char *name, const char *banner,
6c4ee04931dded62728f3a9954b2799beed536e9Christian Maeder struct krb5_req *kr = talloc_get_type(data, struct krb5_req);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder DEBUG(SSSDBG_CRIT_FAILURE, "Cannot handle password prompts.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "Prompter called with empty banner, nothing to do.\n");
6c4ee04931dded62728f3a9954b2799beed536e9Christian Maeder DEBUG(SSSDBG_FUNC_DATA, "Prompter called with [%s].\n", banner);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = pam_add_response(kr->pd, SSS_PAM_TEXT_MSG, strlen(banner)+1,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckersstatic krb5_error_code create_empty_cred(krb5_context ctx, krb5_principal princ,
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kerr = krb5_copy_principal(ctx, princ, &cred->client);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_build_principal_ext(ctx, &cred->server,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "krb5_build_principal_ext failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_INTERNAL, "Created empty krb5_creds.\n");
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder /* We only treat the FILE type case in a special way due to the history
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * of storing FILE type ccache in /tmp and associated security issues */
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers if (ccname_len >= 6 && strcmp(ccname + (ccname_len - 6), "XXXXXX") == 0) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* NOTE: this call is only used to create a unique name, as later
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * krb5_cc_initialize() will unlink and recreate the file.
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * This is ok because this part of the code is called with
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * privileges already dropped when handling user ccache, or the ccache
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * is stored in a private directory. So we do not have huge issues if
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder * something races, we mostly care only about not accidentally use
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * an existing name and thus failing in the process of saving the
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * cache. Malicious races can only be avoided by libkrb5 itself. */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "mkstemp(\"%s\") failed [%d]: %s!\n",
6c4ee04931dded62728f3a9954b2799beed536e9Christian Maeder/* NOTE: callers rely on 'name' being *changed* if it needs to be randomized,
6c4ee04931dded62728f3a9954b2799beed536e9Christian Maeder * as they will then send the name back to the new name via the return call
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * k5c_attach_ccname_msg(). Callers will send in a copy of the name if they
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder * do not care for changes. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code create_ccache(char *ccname, krb5_creds *creds)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Set a restrictive umask, just in case we end up creating any file */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* we create a new context here as the main process one may have been
6c4ee04931dded62728f3a9954b2799beed536e9Christian Maeder * opened as root and contain possibly references (even open handles ?)
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * to resources we do not have or do not want to have access to */
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "handle_randomized failed: %d\n", kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_ALL, "Initializing ccache of type [%s]\n", type);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_ALL, "CC supports switch\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_cc_set_default_name(kctx, ccname);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder DEBUG(SSSDBG_TRACE_ALL, "Cannot set default name!\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder kerr = krb5_cc_cache_match(kctx, creds->client, &cckcc);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_ALL, "Match not found\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_cc_new_unique(kctx, type, NULL, &cckcc);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_cache_match failed\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_cc_initialize(kctx, kcc, creds->client);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_initialize failed\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_cc_store_cred(kctx, kcc, creds);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_store_cred failed\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_switch\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_ALL, "returning: %d\n", kerr);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder /* FIXME: should we krb5_cc_destroy in case of error ? */
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckersstatic errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error,
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder /* A buffer with the following structure must be created:
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * int32_t status of the request (required)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * message (zero or more)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * A message consists of:
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder * int32_t type of the message
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * int32_t length of the following data
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * uint8_t[len] data
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder for (pdr = resp_list; pdr != NULL; pdr = pdr->next) {
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder buf = talloc_array(mem_ctx, uint8_t, size);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "Insufficient memory to create message.\n");
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder SAFEALIGN_SET_INT32(&buf[p], error, &p);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder for (pdr = resp_list; pdr != NULL; pdr = pdr->next) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder SAFEALIGN_SET_INT32(&buf[p], pdr->type, &p);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder SAFEALIGN_SET_INT32(&buf[p], pdr->len, &p);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder safealign_memcpy(&buf[p], pdr->data, pdr->len, &p);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder DEBUG(SSSDBG_TRACE_INTERNAL, "response packet size: [%zu]\n", p);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic errno_t k5c_attach_otp_info_msg(struct krb5_req *kr)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder memcpy(msg + idx, kr->otp_token_id, token_id_len);
42c01284bba8d7c8d995c8dfb96ace57d28ed1bcTill Mossakowski memcpy(msg + idx, kr->otp_challenge, challenge_len);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = pam_add_response(kr->pd, SSS_PAM_OTP_INFO, msg_len, msg);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckersstatic errno_t k5c_attach_ccname_msg(struct krb5_req *kr)
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_CRIT_FAILURE, "Error obtaining ccname.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers msg = talloc_asprintf(kr, "%s=%s",CCACHE_ENV_NAME, kr->ccname);
ea8e98e298f33f9362293f392c8fb192722b8904Eugen Kuksa DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
ea8e98e298f33f9362293f392c8fb192722b8904Eugen Kuksa ret = pam_add_response(kr->pd, SSS_PAM_ENV_ITEM,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error)
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_FUNC_DATA, "Received error code %d\n", error);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers ret = pack_response_packet(kr, error, kr->pd->resp_list, &buf, &len);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder written = sss_atomic_write_s(fd, buf, len);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "write failed [%d][%s].\n", ret, strerror(ret));
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "Write error, wrote [%zu] bytes, expected [%zu]\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_ALL, "Response sent.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic errno_t add_ticket_times_and_upn_to_response(struct krb5_req *kr)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder unsigned int upn_len = 0;
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder t[0] = (int64_t) kr->creds->times.authtime;
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder t[1] = (int64_t) kr->creds->times.starttime;
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder t[3] = (int64_t) kr->creds->times.renew_till;
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder ret = pam_add_response(kr->pd, SSS_KRB5_INFO_TGT_LIFETIME,
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_OP_FAILURE, "krb5_unparse_name failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code validate_tgt(struct krb5_req *kr)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s], " \
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kerr = krb5_kt_start_seq_get(kr->ctx, keytab, &cursor);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* We look for the first entry from our realm or take the last one */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder while ((kt_err = krb5_kt_next_entry(kr->ctx, keytab, &entry, &cursor)) == 0) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder krb5_free_principal(kr->ctx, validation_princ);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_copy_principal(kr->ctx, entry.principal,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = sss_krb5_free_keytab_entry_contents(kr->ctx, &entry);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_MINOR_FAILURE, "Failed to free keytab entry.\n");
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) {
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "Found keytab entry with the realm of the credential.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers "Keytab entry with the realm of the credential not found "
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers "in keytab. Using the last entry.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Close the keytab here. Even though we're using cursors, the file
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * handle is stored in the krb5_keytab structure, and it gets
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * overwritten when the verify_init_creds() call below creates its own
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * cursor, creating a leak. */
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder kerr = krb5_kt_end_seq_get(kr->ctx, keytab, &cursor);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_end_seq_get failed, " \
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "not verifying TGT.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* check if we got any errors from krb5_kt_next_entry */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder if (kt_err != 0 && kt_err != KRB5_KT_END) {
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Get the principal to which the key belongs, for logging purposes. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_unparse_name(kr->ctx, validation_princ, &principal);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "internal error parsing principal name, "
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "not verifying TGT.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kerr = krb5_verify_init_creds(kr->ctx, kr->creds, validation_princ, keytab,
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_TRACE_FUNC, "TGT verified using key for [%s].\n",
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE ,"TGT failed verification using key " \
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* Try to find and send the PAC to the PAC responder.
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * Failures are not critical. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_OP_FAILURE, "sss_extract_and_send_pac failed, group " \
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "membership for user with principal [%s] " \
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_OP_FAILURE, "sss_send_pac failed, group " \
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "membership for user with principal [%s] " \
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder krb5_cc_destroy(kr->ctx, validation_ccache);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder krb5_free_principal(kr->ctx, validation_princ);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers sss_krb5_free_unparsed_name(kr->ctx, principal);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder krb5_get_init_creds_opt_set_address_list(&options, NULL);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers krb5_get_init_creds_opt_set_forwardable(&options, 0);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder krb5_get_init_creds_opt_set_proxiable(&options, 0);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Use the updated principal in the creds in case canonicalized */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code get_and_save_tgt(struct krb5_req *kr,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "Failed to set expire callback, continue without.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "Attempting kinit for realm [%s]\n",realm_name);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* Any errors are ignored during pre-auth, only data is collected to
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * be send back to the client.*/
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "krb5_get_init_creds_password returned [%d} during pre-auth.\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* If kr->ccname is cache collection (DIR:/...), we want to work
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * directly with file ccache (DIR::/...), but cache collection
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * should be returned back to back end.
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder cc_name = sss_get_ccache_name_for_principal(kr->pd, kr->ctx,
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers /* Use the updated principal in the creds in case canonicalized */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Successfull authentication! Check if ccache contains the
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * right principal...
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = sss_krb5_check_ccache_princ(kr->ctx, kr->ccname, kr->creds->client);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "No ccache for %s in %s?\n", kr->upn, kr->ccname);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kerr = safe_remove_old_ccache_file(kr->old_ccname, kr->ccname,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "Failed to remove old ccache file [%s], "
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "please remove it manually.\n", kr->old_ccname);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder kerr = add_ticket_times_and_upn_to_response(kr);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder "add_ticket_times_and_upn_to_response failed.\n");
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder krb5_free_cred_contents(kr->ctx, kr->creds);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic errno_t map_krb5_error(krb5_error_code kerr)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* ERR_CREDS_INVALID is used to indicate to the IPA provider that trying
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * password migration would make sense. All Kerberos error codes which can
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * be seen while migrating LDAP users to IPA should be added here. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * code and we cannot make any assumptions about the reason for the error.
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * As a consequence we cannot return a different error code than a generic
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * one which unfortunately might result in a unspecific system error
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * message to the user.
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers * SSSD should behave differently this has to be detected by different
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * means, e.g. by evaluation error messages, and then the error code
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * should be changed to a more suitable KRB5* error code or immediately to
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * a SSSD ERR_* error code to avoid the default handling here. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic errno_t changepw_child(struct krb5_req *kr, bool prelim)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_LIBS, "Password change operation\n");
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "Failed to fetch current password [%d] %s.\n",
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers /* We do not need a password expiration warning here. */
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "Attempting kinit for realm [%s]\n",realm_name);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "chpass is%s using OTP\n", kr->otp ? "" : " not");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.",
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers "pack_user_info_chpass_error failed.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, msg_len,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "pam_add_response failed.\n");
55b14de0878c596dc00920ecac65bab478e930e8Christian Maeder "Initial authentication for change password operation "
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder "successful.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder krb5_free_cred_contents(kr->ctx, kr->creds);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = sss_authtok_get_password(kr->pd->newauthtok, &newpassword, NULL);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "Failed to fetch new password [%d] %s.\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder memset(&result_code_string, 0, sizeof(krb5_data));
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder memset(&result_string, 0, sizeof(krb5_data));
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_change_password(kr->ctx, kr->creds,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder "krb5_change_password failed [%d][%.*s].\n", result_code,
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder result_code_string.length, result_code_string.data);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder user_error_message = talloc_strndup(kr->pd, result_code_string.data,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder if (result_string.length > 0 && result_string.data[0] != '\0') {
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "krb5_change_password failed [%d][%.*s].\n", result_code,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder user_error_message = talloc_strndup(kr->pd, result_string.data,
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder } else if (result_code == KRB5_KPASSWD_SOFTERROR) {
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder user_error_message = talloc_strdup(kr->pd, "Please make sure the "
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder "password meets the complexity constraints.");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers ret = pack_user_info_chpass_error(kr->pd, user_error_message,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "pack_user_info_chpass_error failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, user_resp_len,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "pack_response_packet failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder krb5_free_cred_contents(kr->ctx, kr->creds);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder user_info_type = SSS_PAM_USER_INFO_OTP_CHPASS;
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, sizeof(uint32_t),
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* Not fatal */
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers /* We changed some of the gic options for the password change, now we have
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * to change them back to get a fresh TGT. */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic errno_t tgt_req_child(struct krb5_req *kr)
55b14de0878c596dc00920ecac65bab478e930e8Christian Maeder DEBUG(SSSDBG_TRACE_LIBS, "Attempting to get a TGT\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder /* No password is needed for pre-auth, or if we have 2FA */
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_OP_FAILURE, "Invalid authtok type\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_OP_FAILURE, "No credentials available\n");
ea8e98e298f33f9362293f392c8fb192722b8904Eugen Kuksa /* add OTP tokeninfo messge if available */
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder /* If the password is expired the KDC will always return
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5KDC_ERR_KEY_EXP regardless if the supplied password is correct or
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder not. In general the password can still be used to get a changepw ticket.
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder So we validate the password by trying to get a changepw ticket. */
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder DEBUG(SSSDBG_TRACE_LIBS, "Password was expired\n");
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx,
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "Failed to unset expire callback, continue ...\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder krb5_free_cred_contents(kr->ctx, kr->creds);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder /* If the password is expired we can safely remove the ccache from the
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder * cache and disk if it is not actively used anymore. This will allow
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder * to create a new random ccache if sshd with privilege separation is
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder if (kr->old_cc_active == false && kr->old_ccname) {
4e521879e36515b983525ff9a4ea82ba44e5bbffChristian Maeder ret = safe_remove_old_ccache_file(kr->old_ccname, NULL,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "Failed to remove old ccache file [%s], "
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "please remove it manually.\n", kr->old_ccname);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic errno_t kuserok_child(struct krb5_req *kr)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_LIBS, "Verifying if principal can log in as user\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers /* krb5_kuserok tries to verify that kr->pd->user is a locally known
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers * account, so we have to unset _SSS_LOOPS to make getpwnam() work. */
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS, "
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "krb5_kuserok will most certainly fail.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_set_default_realm(kr->ctx, kr->realm);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder DEBUG(SSSDBG_CRIT_FAILURE, "krb5_set_default_realm failed, "
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder "krb5_kuserok may fail.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder access_allowed = krb5_kuserok(kr->ctx, kr->princ, kr->pd->user);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder "Access was %s\n", access_allowed ? "allowed" : "denied");
55b14de0878c596dc00920ecac65bab478e930e8Christian Maederstatic errno_t renew_tgt_child(struct krb5_req *kr)
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_TRACE_LIBS, "Renewing a ticket\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder ret = sss_authtok_get_ccfile(kr->pd->authtok, &ccname, NULL);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers "Unsupported authtok type for TGT renewal [%d].\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_cc_resolve(kr->ctx, ccname, &ccache);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n");
55b14de0878c596dc00920ecac65bab478e930e8Christian Maeder kerr = krb5_cc_initialize(kr->ctx, ccache, kr->princ);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = krb5_cc_store_cred(kr->ctx, ccache, kr->creds);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers kerr = add_ticket_times_and_upn_to_response(kr);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder "add_ticket_times_and_upn_to_response failed.\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder krb5_free_cred_contents(kr->ctx, kr->creds);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckersstatic errno_t create_empty_ccache(struct krb5_req *kr)
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_LIBS, "Creating empty ccache\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kerr = create_empty_cred(kr->ctx, kr->princ, &creds);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_TRACE_LIBS, "Existing ccache still valid, reusing\n");
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic errno_t unpack_authtok(struct sss_auth_token *tok,
ea8e98e298f33f9362293f392c8fb192722b8904Eugen Kuksa SAFEALIGN_COPY_UINT32_CHECK(&auth_token_type, buf + *p, size, p);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder SAFEALIGN_COPY_UINT32_CHECK(&auth_token_length, buf + *p, size, p);
55b14de0878c596dc00920ecac65bab478e930e8Christian Maeder ret = sss_authtok_set_password(tok, (char *)(buf + *p), 0);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0);
ea8e98e298f33f9362293f392c8fb192722b8904Eugen Kuksa ret = sss_authtok_set(tok, SSS_AUTHTOK_TYPE_2FA, (buf + *p),
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maederstatic errno_t unpack_buffer(uint8_t *buf, size_t size,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_TRACE_LIBS, "total buffer size: [%zu]\n", size);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SAFEALIGN_COPY_UINT32_CHECK(&pd->cmd, buf + p, size, &p);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder SAFEALIGN_COPY_UINT32_CHECK(&kr->uid, buf + p, size, &p);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SAFEALIGN_COPY_UINT32_CHECK(&kr->gid, buf + p, size, &p);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SAFEALIGN_COPY_UINT32_CHECK(&validate, buf + p, size, &p);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kr->validate = (validate == 0) ? false : true;
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SAFEALIGN_COPY_UINT32_CHECK(offline, buf + p, size, &p);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SAFEALIGN_COPY_UINT32_CHECK(&send_pac, buf + p, size, &p);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers kr->send_pac = (send_pac == 0) ? false : true;
3fea26a73b8fa69b22dfd2653d8f7bdacb45b9c9Christian Maeder SAFEALIGN_COPY_UINT32_CHECK(&use_enterprise_princ, buf + p, size, &p);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers kr->use_enterprise_princ = (use_enterprise_princ == 0) ? false : true;
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kr->upn = talloc_strndup(pd, (char *)(buf + p), len);
ea8e98e298f33f9362293f392c8fb192722b8904Eugen Kuksa "cmd [%d] uid [%llu] gid [%llu] validate [%s] "
ea8e98e298f33f9362293f392c8fb192722b8904Eugen Kuksa "enterprise principal [%s] offline [%s] UPN [%s]\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder (unsigned long long) kr->gid, kr->validate ? "true" : "false",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kr->use_enterprise_princ ? "true" : "false",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder *offline ? "true" : "false", kr->upn ? kr->upn : "none");
3fea26a73b8fa69b22dfd2653d8f7bdacb45b9c9Christian Maeder pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || pd->cmd == SSS_PAM_CHAUTHTOK) {
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers kr->ccname = talloc_strndup(pd, (char *)(buf + p), len);
db6729e623b4053149084ccf4b35e5308ac7e359Christian Maeder SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder kr->old_ccname = talloc_strndup(pd, (char *)(buf + p), len);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder if (kr->old_ccname == NULL) return ENOMEM;
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder DEBUG(SSSDBG_TRACE_INTERNAL, "No old ccache\n");
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder kr->keytab = talloc_strndup(pd, (char *)(buf + p), len);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = unpack_authtok(pd->authtok, buf, size, &p);
db6729e623b4053149084ccf4b35e5308ac7e359Christian Maeder "ccname: [%s] old_ccname: [%s] keytab: [%s]\n",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder kr->old_ccname ? kr->old_ccname : "not set",
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maeder ret = unpack_authtok(pd->newauthtok, buf, size, &p);
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder sss_authtok_set_empty(pd->newauthtok);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder pd->user = talloc_strndup(pd, (char *)(buf + p), len);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CONF_SETTINGS, "user: [%s]\n", pd->user);
9c84ea0239ba21e070e7d76d47d30713a3610327Christian Maeder sss_krb5_get_init_creds_opt_free(kr->ctx, kr->options);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder krb5_free_cred_contents(kr->ctx, kr->creds);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder sss_krb5_free_unparsed_name(kr->ctx, kr->name);
0cb5f9c8582ad87ceef1c16b5d92347ae0878019Christian Maederstatic krb5_error_code get_tgt_times(krb5_context ctx, const char *ccname,
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder krberr = krb5_cc_resolve(ctx, ccname, &ccache);
94e112d16f89130a688db8b03ad3224903f5e97eChristian Maeder DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n");
c1c5a93b6f5bf18be1f4a0a9da6c0e32ff00266cFelix Reckers KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, krberr);
goto done;
} else if (krberr != 0) {
krberr = 0;
goto done;
krberr = 0;
done:
return krberr;
const char *primary,
const char *realm,
const char *keytab_name,
char **fast_ccname)
char *ccname;
char *server_name;
int status;
return ENOMEM;
goto done;
if (kerr) {
goto done;
if (kerr != 0) {
goto done;
goto done;
if (kerr != 0) {
goto done;
if (kerr == 0) {
goto done;
switch (fchild_pid) {
goto done;
if (kerr != 0) {
if (kerr != 0) {
exit(0);
errno = 0;
if (kerr > 0) {
if (kerr != 0) {
if (kerr != 0) {
goto done;
goto done;
done:
if (kerr == 0) {
return kerr;
errno = 0;
return ret;
return ret;
char *fast_principal_realm;
char *fast_principal;
char *tmp_str;
char *new_ccname;
if (tmp_str) {
if (kerr) {
return kerr;
&tmp_str);
if (kerr) {
return kerr;
if (!fast_principal) {
return KRB5KRB_ERR_GENERIC;
if (!fast_principal_realm) {
return ENOMEM;
if (kerr != 0) {
return kerr;
if (kerr != 0) {
return kerr;
if (kerr != 0) {
return kerr;
if (demand) {
if (kerr != 0) {
return kerr;
return EOK;
char *use_fast_str;
return EINVAL;
return EOK;
bool valid;
valid = false;
switch (ret) {
case ERR_NOT_FOUND:
case ENOENT:
case EINVAL:
case EOK:
valid = true;
return ret;
return EOK;
return ret;
return ret;
return EOK;
return ret;
return EOK;
return EOK;
if (ret != 0) {
if (ret != 0) {
return ret;
return EOK;
int parse_flags;
if (kerr != 0) {
return kerr;
if (kerr != 0) {
return EIO;
* missing in krb5.conf or to allow SSSD to work with multiple unconnected
if (kerr != 0) {
if (kerr != 0) {
return kerr;
if (kerr != 0) {
return kerr;
return ENOMEM;
if (kerr != 0) {
return kerr;
if (kerr != 0) {
return kerr;
if (!offline) {
return kerr;
int ret;
char *mem_keytab;
if (kerr != 0) {
return kerr;
if (kerr != 0) {
return kerr;
return ret;;
return ret;
if (!(offline ||
NULL);
if (kerr != 0) {
return kerr;
return kerr;
int opt;
&debug_to_stderr, 0,
switch(opt) {
if (!debug_prg_name) {
goto done;
goto done;
goto done;
if (kerr != 0) {
goto done;
if (kerr != 0) {
goto done;
goto done;
case SSS_PAM_AUTHENTICATE:
if (offline) {
case SSS_PAM_CHAUTHTOK:
case SSS_PAM_CHAUTHTOK_PRELIM:
case SSS_PAM_ACCT_MGMT:
case SSS_CMD_RENEW:
if (offline) {
goto done;
case SSS_PAM_PREAUTH:
goto done;
done:
ret = 0;