|
|
//+-------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1992.
//
// File: debug.cxx
//
// Contents: Debug definitions that shouldn't be necessary
// in the retail build.
//
// History: 19-Nov-92 WadeR Created
//
// Notes: If you change or add a debug level, also fix debug.hxx
// This is only compiled if DBG > 0
//
//--------------------------------------------------------------------------
#include "kdcsvr.hxx"
#include <kdcdbg.h>
#include "debug.hxx"
//
// The "#pragma hdrstop" causes the preprocessor to forget any "#if"s
// is is processing. Therefore you can't have it inside an "#if" block.
// So the includes will always compile, and the rest of this code becomes
// conditional.
//
#include <stddef.h>
#ifdef RETAIL_LOG_SUPPORT
//
// Variables for heap checking and used by sectrace.hxx:
//
// Set following to HEAP_CHECK_ON_ENTER | HEAP_CHECK_ON_EXIT for heap checking.
DWORD dwHeapChecking = 0;
// This keeps a registry key handle to the HKLM\System\CCSet\Control\LSA\// Kerberoskey
HKEY hKerbParams = NULL;HANDLE hKerbWait = NULL;
//
// Tons and tons of global data to get debugging params from the ini file.
//
// Note: For every trace bit, there must be a label in this array matching
// that trace bit and only that trace bit. There can be other labels
// matching combinations of trace bits.
//
DEBUG_KEY KdcDebugKeys[] = { {DEB_ERROR, "Error"}, {DEB_WARN, "Warning"}, {DEB_TRACE, "Trace"}, {DEB_T_KDC, "Kdc"}, {DEB_T_TICKETS, "Tickets"}, {DEB_T_DOMAIN, "Domain"}, {DEB_T_SOCK, "Sock"}, {DEB_T_TIME, "Time"}, {DEB_T_TRANSIT, "Transit"}, {DEB_T_PERF_STATS, "Perf"}, {DEB_T_PKI, "PKI"}, {DEB_T_PAPI, "PAPI"}, {DEB_T_U2U, "U2U"}, {DEB_T_PAC, "PAC"}, {DEB_T_KEY, "KEY"}, {DEB_T_S4U, "S4U"}, {0, NULL}, };
DEFINE_DEBUG2(KDC); VOIDFillExtendedError( IN NTSTATUS NtStatus, IN ULONG Flags, IN ULONG FileNum, IN ULONG LineNum, OUT PKERB_EXT_ERROR ExtendedError ){ ExtendedError->status = NtStatus; ExtendedError->klininfo = EXT_ERROR_ON(KDCInfoLevel) ? KLIN(FileNum, LineNum) : 0; ExtendedError->flags = Flags;}
////////////////////////////////////////////////////////////////////
//
// Name: GetDebugParams
//
// Synopsis: Gets the debug paramaters from the ini file.
//
// Arguments: <none>
//
// Notes: .
//
voidGetDebugParams(){ KDCInitDebug(KdcDebugKeys);}
#if DBG // moved here to utilize debug logging in free builds.
NTSTATUSKDC_GetState( handle_t hBinding, DWORD * KDCFlags, DWORD * MaxLifespan, DWORD * MaxRenewSpan, PTimeStamp FudgeFactor){ *FudgeFactor = SkewTime;
TimeStamp tsLife, tsRenew;
NTSTATUS hr = SecData.DebugGetState(KDCFlags, &tsLife, &tsRenew ); tsLife.QuadPart = (tsLife.QuadPart / ulTsPerSecond); *MaxLifespan =tsLife.LowPart; tsRenew.QuadPart = (tsRenew.QuadPart / ulTsPerSecond); *MaxRenewSpan = tsRenew.LowPart; return(hr);}
NTSTATUSKDC_SetState( handle_t hBinding, DWORD KdcFlags, DWORD MaxLifespan, DWORD MaxRenewSpan, TimeStamp FudgeFactor){ NTSTATUS hr; TimeStamp tsLife = {0,0}; TimeStamp tsRenew = {0,0};
if (FudgeFactor.QuadPart != 0) { SkewTime = FudgeFactor; Authenticators->SetMaxAge( SkewTime ); }
tsLife.QuadPart = (LONGLONG) MaxLifespan * 10000000; tsRenew.QuadPart = (LONGLONG) MaxRenewSpan * 10000000;
if (KdcFlags == 0) { KdcFlags = SecData.KdcFlags(); } if (MaxLifespan == 0) { tsLife = SecData.KdcTgtTicketLifespan(); }
if (MaxRenewSpan == 0) { tsLife = SecData.KdcTicketRenewSpan(); }
hr = SecData.DebugSetState(KdcFlags, tsLife, tsRenew);
SecData.DebugShowState();
return(hr);}
void PrintIntervalTime ( ULONG DebugFlag, LPSTR Message, PLARGE_INTEGER Interval ){ LONGLONG llTime = Interval->QuadPart; LONG lSeconds = (LONG) ( llTime / 10000000 ); LONG lMinutes = ( lSeconds / 60 ) % 60; LONG lHours = ( lSeconds / 3600 ); DebugLog(( DebugFlag, "%s %d:%2.2d:%2.2d \n", Message, lHours, lMinutes, lSeconds % 60 ));}
void PrintTime ( ULONG DebugFlag, LPSTR Message, PLARGE_INTEGER Time ){ SYSTEMTIME st;
FileTimeToSystemTime ( (PFILETIME) Time, & st ); DebugLog((DebugFlag, "%s %d-%d-%d %d:%2.2d:%2.2d\n", Message, st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond ));}
#else // DBG
NTSTATUSKDC_GetState( handle_t hBinding, DWORD * KDCFlags, DWORD * MaxLifespan, DWORD * MaxRenewSpan, PTimeStamp FudgeFactor){ return(STATUS_NOT_SUPPORTED);}
NTSTATUSKDC_SetState( handle_t hBinding, DWORD KDCFlags, DWORD MaxLifespan, DWORD MaxRenewSpan, TimeStamp FudgeFactor){ return(STATUS_NOT_SUPPORTED);}
#endif
#endif
BOOLEANKdcSetPassSupported( VOID ){ NET_API_STATUS NetStatus; ULONG SetPassUnsupported = 0; LPNET_CONFIG_HANDLE ConfigHandle = NULL;
NetStatus = NetpOpenConfigData( &ConfigHandle, NULL, // noserer name
L"kdc", TRUE // read only
); if (NetStatus != NO_ERROR) { return(TRUE); } NetStatus = NetpGetConfigDword( ConfigHandle, L"SetPassUnsupported", 0, &SetPassUnsupported );
NetpCloseConfigData( ConfigHandle ); if ((NetStatus == NO_ERROR) && (SetPassUnsupported == 1)) { return(FALSE); } else { return(TRUE); }}
//+-------------------------------------------------------------------------
//
// Function: KDC_SetPassword
//
// Synopsis: Sets password for an account
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKDC_SetPassword( IN handle_t hBinding, IN PUNICODE_STRING UserName, IN PUNICODE_STRING PrincipalName, IN PUNICODE_STRING Password, IN ULONG Flags ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr; SECPKG_SUPPLEMENTAL_CRED Credentials; KDC_TICKET_INFO TicketInfo; SAMPR_HANDLE UserHandle = NULL; KERB_EXT_ERROR ExtendedError; // dummy var.
Credentials.Credentials = NULL;
if (!KdcSetPassSupported()) { Status = STATUS_NOT_SUPPORTED; goto Cleanup; }
//
// Make sure we can impersonate the caller.
//
if (RpcImpersonateClient(NULL) != ERROR_SUCCESS) { Status = STATUS_ACCESS_DENIED; goto Cleanup; } else { RpcRevertToSelf(); }
// According to bug 228139, rpc definition of unicode strings allow
// for odd lengths. We will set them to even (1 less) so that we
// don't av in the lsa.
if (ARGUMENT_PRESENT(UserName) && UserName->Buffer) { UserName->Length = (UserName->Length/sizeof(WCHAR)) * sizeof(WCHAR); } else { Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
KerbErr = KdcGetTicketInfo( UserName, 0, // no flags
FALSE, // do not restrict user accounts (user2user)
NULL, NULL, &TicketInfo, &ExtendedError, &UserHandle, 0L, // no fields to fetch
0L, // no extended fields
NULL, // no user all
NULL ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR, "Failed to get ticket info for %wZ: 0x%x\n", UserName, KerbErr )); Status = STATUS_NO_SUCH_USER; goto Cleanup; } FreeTicketInfo(&TicketInfo);
if (ARGUMENT_PRESENT(Password) && Password->Buffer) { Password->Length = (Password->Length/sizeof(WCHAR)) * sizeof(WCHAR); } else { Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
if (ARGUMENT_PRESENT(PrincipalName) && PrincipalName->Buffer) { PrincipalName->Length = (PrincipalName->Length/sizeof(WCHAR)) * sizeof(WCHAR); } else { Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
Status = KdcBuildPasswordList( Password, PrincipalName, SecData.KdcDnsRealmName(), UnknownAccount, NULL, // no stored creds
0, // no stored creds
TRUE, // marshall
FALSE, // don't include builtins
Flags, Unknown, (PKERB_STORED_CREDENTIAL *) &Credentials.Credentials, &Credentials.CredentialSize ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
RtlInitUnicodeString( &Credentials.PackageName, MICROSOFT_KERBEROS_NAME_W );
Status = SamIStorePrimaryCredentials( UserHandle, &Credentials ); if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to store primary credentials: 0x%x\n",Status)); goto Cleanup; }
Cleanup: if (UserHandle != NULL) { SamrCloseHandle(&UserHandle); } if (Credentials.Credentials != NULL) { MIDL_user_free(Credentials.Credentials); } return(Status);}
NTSTATUSKDC_GetDomainList( IN handle_t hBinding, OUT PKDC_DBG_DOMAIN_LIST * DomainList ){ NTSTATUS Status = STATUS_SUCCESS; PKDC_DBG_DOMAIN_LIST TempList; PKDC_DBG_DOMAIN_INFO DomainInfo = NULL; PKDC_DOMAIN_INFO Domain; ULONG DomainCount = 0; PLIST_ENTRY ListEntry; ULONG Index = 0;
*DomainList = NULL;
KdcLockDomainListFn();
TempList = (PKDC_DBG_DOMAIN_LIST) MIDL_user_allocate(sizeof(KDC_DBG_DOMAIN_LIST)); if (TempList == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
for (ListEntry = KdcDomainList.Flink; ListEntry != &KdcDomainList ; ListEntry = ListEntry->Flink ) { DomainCount++; }
DomainInfo = (PKDC_DBG_DOMAIN_INFO) MIDL_user_allocate(DomainCount * sizeof(KDC_DBG_DOMAIN_INFO)); if (DomainInfo == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } RtlZeroMemory( DomainInfo, DomainCount * sizeof(KDC_DBG_DOMAIN_INFO) );
Index = 0; for (ListEntry = KdcDomainList.Flink; ListEntry != &KdcDomainList ; ListEntry = ListEntry->Flink ) { Domain = (PKDC_DOMAIN_INFO) CONTAINING_RECORD(ListEntry, KDC_DOMAIN_INFO, Next); KerbDuplicateString( &DomainInfo[Index].DnsName, &Domain->DnsName ); KerbDuplicateString( &DomainInfo[Index].NetbiosName, &Domain->NetbiosName ); if (Domain->ClosestRoute != NULL) { KerbDuplicateString( &DomainInfo[Index].ClosestRoute, &Domain->ClosestRoute->DnsName ); } DomainInfo->Type = Domain->Type; DomainInfo->Attributes = Domain->Attributes; Index++; }
TempList->Count = DomainCount; TempList->Domains = DomainInfo; *DomainList = TempList; TempList = NULL; DomainInfo = NULL;
Cleanup: KdcUnlockDomainListFn();
if (TempList != NULL) { MIDL_user_free(TempList); } if (DomainInfo != NULL) { MIDL_user_free(DomainInfo); }
return(Status);}
VOIDKdcCopyKeyData( OUT PKERB_KEY_DATA NewKey, IN PKERB_KEY_DATA OldKey, IN OUT PBYTE * Where, IN LONG_PTR Offset ){ //
// Copy the key
//
NewKey->Key.keytype = OldKey->Key.keytype; NewKey->Key.keyvalue.length = OldKey->Key.keyvalue.length; NewKey->Key.keyvalue.value = (*Where) - Offset; RtlCopyMemory( (*Where), OldKey->Key.keyvalue.value, OldKey->Key.keyvalue.length ); (*Where) += OldKey->Key.keyvalue.length;
//
// Copy the salt
//
if (OldKey->Salt.Buffer != NULL) { NewKey->Salt.Length = NewKey->Salt.MaximumLength = OldKey->Salt.Length; NewKey->Salt.Buffer = (LPWSTR) ((*Where) - Offset); RtlCopyMemory( (*Where), OldKey->Salt.Buffer, OldKey->Salt.Length ); (*Where) += OldKey->Salt.Length; }}
//+-------------------------------------------------------------------------
//
// Function: KDC_SetAccountKeys
//
// Synopsis: Set the keys for an account
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKDC_SetAccountKeys( IN handle_t hBinding, IN PUNICODE_STRING UserName, IN ULONG Flags, IN PKERB_STORED_CREDENTIAL Keys ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr; KERB_EXT_ERROR ExtendedError; // dummy var
SECPKG_SUPPLEMENTAL_CRED Credentials = {0}; KDC_TICKET_INFO TicketInfo= {0}; SAMPR_HANDLE UserHandle = NULL; PKERB_STORED_CREDENTIAL StoredCreds = NULL; PKERB_STORED_CREDENTIAL Passwords = NULL; ULONG StoredCredSize = 0; ULONG CredentialCount = 0; ULONG CredentialIndex = 0; ULONG Index; PBYTE Where; UNICODE_STRING DefaultSalt; LONG_PTR Offset;
if (!KdcSetPassSupported()) { Status = STATUS_NOT_SUPPORTED; goto Cleanup; }
//
// Make sure we can impersonate the caller.
//
if (RpcImpersonateClient(NULL) != ERROR_SUCCESS) { Status = STATUS_ACCESS_DENIED; goto Cleanup; } else { RpcRevertToSelf(); }
// According to bug 228139, rpc definition of unicode strings allow
// for odd lengths. We will set them to even (1 less) so that we
// don't av in the lsa.
if (ARGUMENT_PRESENT(UserName) && UserName->Buffer) { UserName->Length = (UserName->Length/sizeof(WCHAR)) * sizeof(WCHAR); } else { Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
KerbErr = KdcGetTicketInfo( UserName, 0, // no flags
FALSE, // do not restrict user accounts (user2user)
NULL, NULL, &TicketInfo, &ExtendedError, &UserHandle, 0L, // no fields to fetch
0L, // no extended fields
NULL, // no user all
NULL ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR, "Failed to get ticket info for %wZ: 0x%x\n", UserName, KerbErr )); Status = STATUS_NO_SUCH_USER; goto Cleanup; }
//
// If the caller asks us to replace keys, then clobber all supplemental
// creds with the new ones. Otherwise, just replace the current ones
// with the old ones
//
Passwords = TicketInfo.Passwords;
if ((Flags & KERB_SET_KEYS_REPLACE) || (Passwords == NULL)) { KerbErr = KdcDuplicateCredentials( &StoredCreds, &StoredCredSize, Keys, TRUE // marshall
); if (!KERB_SUCCESS(KerbErr)) { Status = KerbMapKerbError(KerbErr); goto Cleanup; } } else { if (Keys->OldCredentialCount != 0) { DebugLog((DEB_ERROR,"OldCredentialCount supplied with merge-in keys - illegal\n")); Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
//
// Calculate the size of the stored creds.
//
StoredCredSize = FIELD_OFFSET(KERB_STORED_CREDENTIAL,Credentials) + Keys->CredentialCount * sizeof(KERB_KEY_DATA) + Keys->DefaultSalt.Length;
for (Index = 0; Index < Keys->CredentialCount; Index++ ) { StoredCredSize += Keys->Credentials[Index].Salt.Length + Keys->Credentials[Index].Key.keyvalue.length; CredentialCount++; }
//
// Add in the keys that aren't in the supplied ones
//
if (Keys->DefaultSalt.Buffer == NULL) { StoredCredSize += Passwords->DefaultSalt.Length; }
//
// Add the size for all the keys in the passwords that weren't
// in the passed in keys
//
for (Index = 0; Index < Passwords->CredentialCount ; Index++ ) { if (KerbGetKeyFromList(Keys, Passwords->Credentials[Index].Key.keytype) == NULL) { //
// Make sure it is not a builtin
//
if ((Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_LM) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_MD4) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_OLD) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_OLD_EXP) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_NT) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_NT_EXP) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_NULL)) { continue; } StoredCredSize += Passwords->Credentials[Index].Salt.Length + Passwords->Credentials[Index].Key.keyvalue.length + sizeof(KERB_KEY_DATA); CredentialCount++; } }
//
// Add in the old keys
//
for (Index = 0; Index < Passwords->OldCredentialCount; Index++ ) { StoredCredSize += sizeof(KERB_KEY_DATA) + Passwords->Credentials[Index + Passwords->OldCredentialCount].Salt.Length + Passwords->Credentials[Index + Passwords->OldCredentialCount].Key.keyvalue.length; }
//
// Allocate a new buffer to contain the marshalled keys
//
StoredCreds = (PKERB_STORED_CREDENTIAL) MIDL_user_allocate(StoredCredSize); if (StoredCreds == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
RtlZeroMemory( StoredCreds, StoredCredSize );
//
// Set the standard bits
//
StoredCreds->Revision = KERB_PRIMARY_CRED_REVISION; StoredCreds->Flags = 0;
Offset = (LONG_PTR) StoredCreds; Where = (PBYTE) &(StoredCreds->Credentials[CredentialCount + Passwords->OldCredentialCount]);
//
// Copy in the default salt.
//
if (Keys->DefaultSalt.Buffer != NULL) { DefaultSalt = Keys->DefaultSalt; } else { DefaultSalt = Passwords->DefaultSalt; } if (DefaultSalt.Buffer != NULL) { StoredCreds->DefaultSalt.Length = StoredCreds->DefaultSalt.MaximumLength = DefaultSalt.Length; StoredCreds->DefaultSalt.Buffer = (LPWSTR) (Where - Offset); RtlCopyMemory( Where, DefaultSalt.Buffer, DefaultSalt.Length ); Where += DefaultSalt.Length; }
//
// Copy in all the new keys
//
for (Index = 0; Index < Keys->CredentialCount ; Index++ ) { KdcCopyKeyData( &StoredCreds->Credentials[CredentialIndex], &Keys->Credentials[Index], &Where, Offset ); CredentialIndex++; }
//
// Copy in the existing keys
//
for (Index = 0; Index < Passwords->CredentialCount ; Index++ ) { if (KerbGetKeyFromList(Keys, Passwords->Credentials[Index].Key.keytype) == NULL) { if ((Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_LM) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_MD4) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_OLD) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_OLD_EXP) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_NT) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_RC4_HMAC_NT_EXP) || (Passwords->Credentials[Index].Key.keytype == KERB_ETYPE_NULL)) { continue; }
KdcCopyKeyData( &StoredCreds->Credentials[CredentialIndex], &Passwords->Credentials[Index], &Where, Offset ); CredentialIndex++; } } StoredCreds->CredentialCount = (USHORT) CredentialIndex;
//
// Copy in the old keys from the existing keys
//
for (Index = 0; Index < Passwords->OldCredentialCount; Index++ ) { KdcCopyKeyData( &StoredCreds->Credentials[CredentialIndex], &Passwords->Credentials[Index + Passwords->OldCredentialCount], &Where, Offset ); CredentialIndex++; }
StoredCreds->OldCredentialCount = Passwords->OldCredentialCount; }
RtlInitUnicodeString( &Credentials.PackageName, MICROSOFT_KERBEROS_NAME_W );
Credentials.Credentials = (PBYTE) StoredCreds; Credentials.CredentialSize = StoredCredSize; Status = SamIStorePrimaryCredentials( UserHandle, &Credentials ); if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to store primary credentials: 0x%x\n",Status)); goto Cleanup; }
Cleanup: FreeTicketInfo(&TicketInfo);
if (UserHandle != NULL) { SamrCloseHandle(&UserHandle); } if (StoredCreds != NULL) { MIDL_user_free(StoredCreds); } return(Status);}
|
