|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1993.
//
// File: tktutil.cxx
//
// Contents: x// Classes:
//
// Functions:
//
// History: 04-Mar-94 wader Created
//
//----------------------------------------------------------------------------
// Place any local #includes files here.
#include "kdcsvr.hxx"
extern "C"{#include <dns.h> // DNS_MAX_NAME_LENGTH
#include <ntdsa.h> // CrackSingleName
}#if DBG
#include <perftimr.hxx>
#endif
#include <userall.h>
#define FILENO FILENO_TKTUTIL
#define KDC_WSZ_GC L"gc"
#define KDC_GC_NAMEPARTS 3
//#define DONT_SUPPORT_OLD_TYPES_KDC 1
//
// Static data
//
//
// Fudge factor for comparing timestamps, because network clocks may
// be out of sync.
// Note: The lowpart is first!
//
LARGE_INTEGER SkewTime;
KERBERRKdcGetTicketInfo( IN PUNICODE_STRING UserName, IN ULONG LookupFlags, IN OPTIONAL PKERB_INTERNAL_NAME PrincipalName, IN OPTIONAL PKERB_REALM Realm, OUT PKDC_TICKET_INFO TicketInfo, OUT PKERB_EXT_ERROR pExtendedError, OUT OPTIONAL SAMPR_HANDLE * UserHandle, IN OPTIONAL ULONG WhichFields, IN OPTIONAL ULONG ExtendedFields, OUT OPTIONAL PUSER_INTERNAL6_INFORMATION * RetUserInfo, OUT OPTIONAL PSID_AND_ATTRIBUTES_LIST GroupMembership );
//+-------------------------------------------------------------------------
//
// Function: KdcBuildNt4Name
//
// Synopsis: Construct an NT4 style name for an account by separating
// the name into a principal & domain name, converting the
// domain name to netbios, and then creating "domain\user" name.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcBuildNt4Name( OUT LPWSTR * Nt4Name, OUT PUNICODE_STRING OutputRealm, IN PUNICODE_STRING Upn ){ ULONG Index; KERBERR KerbErr = KDC_ERR_NONE; LPWSTR OutputName = NULL; PKDC_DOMAIN_INFO DomainInfo = NULL; UNICODE_STRING RealmName; UNICODE_STRING PrincipalName;
//
// Find the first backslash or '@', or '.' in the name
//
RtlInitUnicodeString( OutputRealm, NULL ); *Nt4Name = NULL;
for (Index = Upn->Length/sizeof(WCHAR) - 1; Index > 0 ; Index-- ) { if (Upn->Buffer[Index] == L'@') { break; } }
if (Index == 0) { KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; }
//
// Pull out the realm name and look it up in the list of domains
//
PrincipalName = *Upn; PrincipalName.Length = (USHORT) Index * sizeof(WCHAR); PrincipalName.MaximumLength = (USHORT) Index * sizeof(WCHAR);
RealmName.Buffer = &Upn->Buffer[Index+1]; RealmName.Length = (USHORT) (Upn->Length - (Index + 1) * sizeof(WCHAR)); RealmName.MaximumLength = RealmName.Length;
KerbErr = KdcLookupDomainName( &DomainInfo, &RealmName, &KdcDomainList );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// We need a netbios name
//
if (DomainInfo->NetbiosName.Length == 0) { //
// Copy out the realm name so we can return a non-authoritative referral
//
if (!NT_SUCCESS(KerbDuplicateString( OutputRealm, &DomainInfo->DnsName ))) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } KerbErr = KDC_ERR_WRONG_REALM; goto Cleanup; }
//
// now build the output name
//
OutputName = (LPWSTR) MIDL_user_allocate(DomainInfo->NetbiosName.Length + PrincipalName.Length + 2 * sizeof(WCHAR)); if (OutputName == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
RtlCopyMemory( OutputName, DomainInfo->NetbiosName.Buffer, DomainInfo->NetbiosName.Length ); OutputName[DomainInfo->NetbiosName.Length/sizeof(WCHAR)] = L'\\'; RtlCopyMemory( OutputName + DomainInfo->NetbiosName.Length/sizeof(WCHAR) + 1, PrincipalName.Buffer, PrincipalName.Length ); OutputName[1 + (PrincipalName.Length + DomainInfo->NetbiosName.Length)/sizeof(WCHAR)] = L'\0';
*Nt4Name = OutputName; OutputName = NULL;Cleanup:
if (DomainInfo != NULL) { KdcDereferenceDomainInfo( DomainInfo ); } if (OutputName != NULL) { MIDL_user_free( OutputName ); } return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KdcMatchCrossForestName
//
// Synopsis: Builds a list of the supplemental credentials and then
// encrypts it with the supplied key
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcMatchCrossForestName( IN PKERB_INTERNAL_NAME Principal, OUT PUNICODE_STRING RealmName ){
NTSTATUS Status = STATUS_SUCCESS; LSA_ROUTING_MATCH_TYPE MatchType; KERBERR KerbErr = KDC_ERR_NONE; UNICODE_STRING UnicodePrincipal = {0};
switch (Principal->NameType) { case KRB_NT_ENTERPRISE_PRINCIPAL: MatchType = RoutingMatchUpn; break; case KRB_NT_SRV_INST: MatchType = RoutingMatchSpn; break; default: return KRB_ERR_GENERIC; }
KerbErr = KerbConvertKdcNameToString( &UnicodePrincipal, Principal, NULL );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Can we match the SPN / UPN to external name space (realm)
//
Status = LsaIForestTrustFindMatch( MatchType, &UnicodePrincipal, RealmName );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN, "LsaIForestTrustFindMatch failed - %x\n",Status)); goto Cleanup; }
Cleanup: if (!NT_SUCCESS(Status)) { KerbErr = KRB_ERR_GENERIC; }
KerbFreeString(&UnicodePrincipal);
return KerbErr;}
//+-------------------------------------------------------------------------
//
// Function: KdcCrackNameAtGC
//
// Synopsis: Cracks a name at a GC by first looking it up for
// UPN/SPN and then constructing an NT4-style name to lookup
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcCrackNameAtGC( IN PUNICODE_STRING Upn, IN PKERB_INTERNAL_NAME PrincipalName, IN DS_NAME_FORMAT NameType, OUT PUNICODE_STRING RealmName, OUT PKDC_TICKET_INFO TicketInfo, OUT PBOOLEAN Authoritative, OUT PBOOLEAN Referral, OUT PBOOLEAN CrossForest, OUT PKERB_EXT_ERROR pExtendedError, OUT OPTIONAL SAMPR_HANDLE * UserHandle, IN OPTIONAL ULONG WhichFields, IN OPTIONAL ULONG ExtendedFields, OUT OPTIONAL PUSER_INTERNAL6_INFORMATION * UserInfo, OUT OPTIONAL PSID_AND_ATTRIBUTES_LIST GroupMembership ){ KERBERR KerbErr = KDC_ERR_NONE; NTSTATUS Status; LPWSTR NullTerminatedName = NULL; UNICODE_STRING CrackedDomain = {0}; UNICODE_STRING LocalCrackedString = {0}; LPWSTR CrackedDnsDomain = NULL; ULONG CrackedDomainLength = (DNS_MAX_NAME_LENGTH+1) * sizeof(WCHAR); LPWSTR CrackedName = NULL; ULONG CrackedNameLength = (UNLEN+DNS_MAX_NAME_LENGTH + 2) * sizeof(WCHAR); ULONG CrackError = 0; BOOLEAN Retry = TRUE; BOOLEAN ReferToRoot = FALSE, UsedHack = FALSE; ULONG NameFlags = DS_NAME_FLAG_TRUST_REFERRAL | DS_NAME_FLAG_GCVERIFY; SECPKG_CALL_INFO CallInfo ;
*Authoritative = TRUE;
#ifdef notyet
//
// Check to see if the name is the machine name, and if so, don't try to
// go to the GC.
//
if ((NameType == DS_USER_PRINCIPAL_NAME) && RtlEqualUnicodeString( SecData.MachineUpn(), Upn, TRUE // case insensitive
)) { DebugLog((DEB_ERROR,"Trying to lookup machine upn %wZ on GC - failing early\n", Upn)); KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; }#endif
CrackedDnsDomain = (LPWSTR) MIDL_user_allocate(CrackedDomainLength); if (CrackedDnsDomain == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
CrackedName = (LPWSTR) MIDL_user_allocate(CrackedNameLength); if (CrackedName == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
//
// We can only retry for user principal names, which have a simple
// structure.
//
if (NameType != DS_USER_PRINCIPAL_NAME) { Retry = FALSE; } //
// So we didn't find the account locally. Now try the GC.
//
NullTerminatedName = KerbBuildNullTerminatedString( Upn ); if (NullTerminatedName == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
//
// If we are in a recursive state, then we need to *not* go to
// the GC, and try the crack locally. This is because we'll go in
// to a recursive tailspin and die. this is a hack to escape this
// situation until we work out a better soln. with DS folks.
//
if ( LsaIGetCallInfo( &CallInfo ) ) { if ( CallInfo.Attributes & SECPKG_CALL_RECURSIVE ) { UNICODE_STRING GCString; //
// This problem occurs when trying to crack a name of type:
// gc/dc.domain/domain. We're recursive, & trying to contact
// a gc, so make some assumptions about the name.
//
RtlInitUnicodeString( &GCString, KDC_WSZ_GC );
if ((PrincipalName->NameCount == KDC_GC_NAMEPARTS) && RtlEqualUnicodeString( &GCString, &PrincipalName->Names[0], TRUE )) { if (CrackedDnsDomain != NULL) { MIDL_user_free(CrackedDnsDomain); } if (CrackedName !=NULL) { MIDL_user_free(CrackedName); }
// note : these are gaurenteed to be '\0' terminated.
CrackedDnsDomain = PrincipalName->Names[2].Buffer; CrackedName = PrincipalName->Names[1].Buffer; UsedHack = TRUE;
DebugLog(( DEB_WARN, "Special case hack of %ws to '%ws' at domain '%ws'\n", NullTerminatedName, CrackedName, CrackedDnsDomain ));
Status = STATUS_SUCCESS ; CrackError = DS_NAME_NO_ERROR ; goto LocalHack ; }
} }
//
// If we're in the root domain, we could be getting asked for a
// name outside our forest. Look now, and attempt to
// create the ticket info for that external target realm
//
if (SecData.IsForestRoot() && SecData.IsCrossForestEnabled()) { KerbErr = KdcMatchCrossForestName( PrincipalName, &CrackedDomain );
if (KERB_SUCCESS(KerbErr)) { *CrossForest = TRUE;
} else { DebugLog((DEB_WARN, "Did not match UPN %wZ to cross forest\n", &Upn)); }
}
Retry:
if (!(*CrossForest)) {
Status = CrackSingleName( NameType, NameFlags, NullTerminatedName, DS_UNIQUE_ID_NAME, &CrackedDomainLength, CrackedDnsDomain, &CrackedNameLength, CrackedName, &CrackError );LocalHack:
if ((Status != STATUS_SUCCESS) || ( ( CrackError != DS_NAME_NO_ERROR ) && ( CrackError != DS_NAME_ERROR_DOMAIN_ONLY ) && ( CrackError != DS_NAME_ERROR_TRUST_REFERRAL)) ) { //
// If the name is a duplicate, log an event
//
if (CrackError == DS_NAME_ERROR_NOT_UNIQUE) { WCHAR LookupType[10];
swprintf(LookupType,L"%d",(ULONG) NameType);
ReportServiceEvent( EVENTLOG_ERROR_TYPE, KDCEVENT_NAME_NOT_UNIQUE, 0, NULL, 2, NullTerminatedName, LookupType );
}
DebugLog((DEB_WARN,"Failed to resolve name %ws: 0x%x, %d\n", NullTerminatedName, Status ,CrackError ));
if (Retry) { MIDL_user_free(NullTerminatedName); NullTerminatedName = NULL;
KerbErr = KdcBuildNt4Name( &NullTerminatedName, &CrackedDomain, Upn ); if (!KERB_SUCCESS(KerbErr)) { //
// If we got a wrong realm error, then we can return
// a non-authorititive answer
//
if (KerbErr == KDC_ERR_WRONG_REALM) { *Authoritative = FALSE; KerbErr = KDC_ERR_NONE; } else { goto Cleanup; } } else { NameType = DS_NT4_ACCOUNT_NAME; Retry = FALSE;
//
// Reset lengths
//
CrackedDomainLength = (DNS_MAX_NAME_LENGTH+1) * sizeof(WCHAR); CrackedNameLength = (UNLEN+DNS_MAX_NAME_LENGTH + 2) * sizeof(WCHAR); goto Retry; } } else { KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; } } //
// We got a Xforest referral, go to Root domain
//
else if (CrackError == DS_NAME_ERROR_TRUST_REFERRAL) {
RtlInitUnicodeString( &CrackedDomain, CrackedDnsDomain );
*CrossForest = TRUE; } else { RtlInitUnicodeString( &CrackedDomain, CrackedDnsDomain ); } }
//
// Decide whether we can open the account locally.
//
if (SecData.IsOurRealm( &CrackedDomain ))
{ RtlInitUnicodeString( &LocalCrackedString, CrackedName );
KerbErr = KdcGetTicketInfo( &LocalCrackedString, SAM_OPEN_BY_GUID, NULL, NULL, TicketInfo, pExtendedError, UserHandle, WhichFields, ExtendedFields, UserInfo, GroupMembership ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } } else { //
// Now get a referral for the cracked domain name
//
UNICODE_STRING ForestRoot = {0};
Status = SecData.GetKdcForestRoot(&ForestRoot);
if (!NT_SUCCESS(Status)) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
ReferToRoot = (((NameType == DS_SERVICE_PRINCIPAL_NAME) && (!SecData.IsForestRoot()) && (*CrossForest)));
KerbErr = KdcFindReferralTarget( TicketInfo, RealmName, pExtendedError, (ReferToRoot ? &ForestRoot : &CrackedDomain), FALSE, // not need ExactMatch
FALSE // not inbound
);
KerbFreeString(&ForestRoot);
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } *Referral = TRUE;
// Mark our referral realm as the cracked domain
if (ReferToRoot) { KerbFreeString(RealmName); KerbDuplicateString( RealmName, &CrackedDomain ); } }
Cleanup: if (!UsedHack) { if (CrackedDnsDomain != NULL) { MIDL_user_free(CrackedDnsDomain); } if (CrackedName !=NULL) { MIDL_user_free(CrackedName); } }
if (!*Authoritative) { KerbFreeString(&CrackedDomain); }
if (NullTerminatedName != NULL) { MIDL_user_free(NullTerminatedName); } return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KdcNormalize
//
// Synopsis: Takes an input name and returns the appropriate ticket
// information or referral information for that name
//
// Effects: If the name is not local, it may call the GC
//
// Arguments: PrincipalName - name to normalize
// PrincipalRealm - Realm that issued principal name
// RequestRealm - Realm field of a KDC request
// NameFlags - flags about name, may be:
// KDC_NAME_CLIENT or KDC_NAME_SERVER
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcNormalize( IN PKERB_INTERNAL_NAME PrincipalName, IN OPTIONAL PUNICODE_STRING PrincipalRealm, IN OPTIONAL PUNICODE_STRING RequestRealm, IN ULONG NameFlags, OUT PBOOLEAN Referral, OUT PUNICODE_STRING RealmName, OUT PKDC_TICKET_INFO TicketInfo, OUT PKERB_EXT_ERROR pExtendedError, OUT OPTIONAL SAMPR_HANDLE * UserHandle, IN OPTIONAL ULONG WhichFields, IN OPTIONAL ULONG ExtendedFields, OUT OPTIONAL PUSER_INTERNAL6_INFORMATION * UserInfo, OUT OPTIONAL PSID_AND_ATTRIBUTES_LIST GroupMembership ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr = KDC_ERR_NONE; BOOLEAN BuildUpn = FALSE; BOOLEAN CheckUpn = FALSE; BOOLEAN CheckSam = FALSE; BOOLEAN CheckGC = FALSE; BOOLEAN Reparse = FALSE; BOOLEAN Authoritative = TRUE; BOOLEAN CheckForInterDomain = FALSE; BOOLEAN ExactMatch = FALSE; BOOLEAN AddTrailingDollar = FALSE; BOOLEAN CrossForest = FALSE; UNICODE_STRING OutputPrincipal = {0}; UNICODE_STRING OutputRealm = {0}; UNICODE_STRING InputName = {0}; ULONG Index; UNICODE_STRING LocalPrincipalName = {0}; UNICODE_STRING Upn = {0}; LPWSTR NullTerminatedName = NULL; WCHAR CrackedDnsDomain[DNS_MAX_NAME_LENGTH+1]; ULONG CrackedDomainLength = sizeof(CrackedDnsDomain); PSID Sid = NULL; UNICODE_STRING SidName = {0};
TRACE(KDC, KdcNormalize, DEB_FUNCTION);
*Referral = FALSE;
if (!ARGUMENT_PRESENT(PrincipalName)) { DebugLog((DEB_ERROR,"KdcNormalize: Null PrincipalName. Failing\n")); KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; }
//
// Make sure the name is not zero length
//
if ((PrincipalName->NameCount == 0) || (PrincipalName->Names[0].Length == 0)) { DebugLog((DEB_ERROR,"KdcNormalize: trying to crack zero length name. Failing\n")); Status = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; }
D_DebugLog((DEB_T_TICKETS,"Normalizing name:")); D_KerbPrintKdcName(DEB_T_TICKETS, PrincipalName);
//
// Check if we should look at the GC
//
if ((NameFlags & KDC_NAME_CHECK_GC) != 0) { CheckGC = TRUE; }
switch(PrincipalName->NameType) { default: case KRB_NT_UNKNOWN: //
// Drop through to more interesting name types
//
case KRB_NT_SRV_HST: case KRB_NT_SRV_INST: case KRB_NT_PRINCIPAL_AND_ID: case KRB_NT_SRV_INST_AND_ID:
//
// Get the sid from the name
//
KerbErr = KerbExtractSidFromKdcName( PrincipalName, &Sid ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to extract sid from name : ")); KerbPrintKdcName(DEB_ERROR,PrincipalName); goto Cleanup; } if (Sid != NULL) { SidName.MaximumLength = SidName.Length = (USHORT) RtlLengthSid(Sid); SidName.Buffer = (LPWSTR) Sid; }
case KRB_NT_PRINCIPAL: //
// Principal names are just sam names
//
if (PrincipalName->NameCount == 1) {
//
// If the client supplied our realm name, check SAM - otherwise just
// check for a UPN
//
if (SecData.IsOurRealm(RequestRealm)) { CheckSam = TRUE; }
//
// If we don't find it in SAM, build a UPN and look it up.
//
CheckUpn = TRUE; BuildUpn = TRUE; OutputPrincipal = PrincipalName->Names[0]; if (ARGUMENT_PRESENT(RequestRealm)) { OutputRealm = *RequestRealm; } else { OutputRealm = *SecData.KdcDnsRealmName(); } break; }
//
// Drop through
//
//
// Check to see if these are the 'krbtgt' account
//
if ((PrincipalName->NameCount == 2) && RtlEqualUnicodeString( &PrincipalName->Names[0], SecData.KdcServiceName(), TRUE)) // case insensitive
{ //
// Check if this is for a different domain - if it is for our
// domain but the principal domain is different, swap the
// domain name.
//
if (ARGUMENT_PRESENT(PrincipalRealm) && SecData.IsOurRealm( &PrincipalName->Names[1])) { OutputRealm = *PrincipalRealm; } else { OutputRealm = PrincipalName->Names[1]; }
//
// Strip trailing "."
//
if ((OutputRealm.Length > 0) && (OutputRealm.Buffer[-1 + OutputRealm.Length/sizeof(WCHAR)] == L'.')) { OutputRealm.Length -= sizeof(WCHAR); }
if (!SecData.IsOurRealm( &OutputRealm )) { CheckForInterDomain = TRUE; } else { CheckSam = TRUE; }
OutputPrincipal = PrincipalName->Names[0]; break; }
//
// Drop through
//
case KRB_NT_SRV_XHST:
//
// These names can't be SAM names ( SAM doesn't support this name
// type) and can't be interdomain (or it would have be caught up
// above).
//
// Check this name as a upn/spn.
//
CheckUpn = TRUE; BuildUpn = TRUE;
break; case KRB_NT_ENT_PRINCIPAL_AND_ID:
//
// Get the sid from the name
//
KerbErr = KerbExtractSidFromKdcName( PrincipalName, &Sid ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to extract sid from name : ")); KerbPrintKdcName(DEB_ERROR,PrincipalName); goto Cleanup; } if (Sid != NULL) { SidName.MaximumLength = SidName.Length = (USHORT) RtlLengthSid(Sid); SidName.Buffer = (LPWSTR) Sid; }
case KRB_NT_ENTERPRISE_PRINCIPAL: if (PrincipalName->NameCount != 1) { DebugLog((DEB_ERROR,"Enterprise name with more than one name part!\n")); KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; break; } OutputPrincipal = PrincipalName->Names[0];
CheckUpn = TRUE;
//
// If the name wasn't found as a UPN/SPN, reparse and try
// in SAM
//
InputName = PrincipalName->Names[0]; Reparse = TRUE; CheckSam = TRUE;
//
// Check for these on the GC
//
OutputRealm = *SecData.KdcDnsRealmName(); break;
case KRB_NT_MS_PRINCIPAL_AND_ID:
//
// Get the sid from the name
//
KerbErr = KerbExtractSidFromKdcName( PrincipalName, &Sid ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to extract sid from name : ")); KerbPrintKdcName(DEB_ERROR,PrincipalName); goto Cleanup; } if (Sid != NULL) { SidName.MaximumLength = SidName.Length = (USHORT) RtlLengthSid(Sid); SidName.Buffer = (LPWSTR) Sid; }
case KRB_NT_MS_PRINCIPAL: //
// These are domainname \ username names
//
if (PrincipalName->NameCount > 2) { DebugLog((DEB_ERROR,"MS principal has more than two name parts:")); KerbPrintKdcName(DEB_ERROR, PrincipalName);
KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; }
//
// Never check the GC for these names
//
CheckGC = FALSE;
//
// If there are two names, the first one is the principal, the second
// is the realm
//
if (PrincipalName->NameCount == 2) { DebugLog((DEB_WARN,"Client sent 2-part MS principalname!\n")); OutputPrincipal = PrincipalName->Names[0]; OutputRealm = PrincipalName->Names[1];
//
// Strip trailing "."
//
if ((OutputRealm.Length > 0) && (OutputRealm.Buffer[-1 + OutputRealm.Length/sizeof(WCHAR)] == L'.')) { OutputRealm.Length -= sizeof(WCHAR); }
} else { InputName = PrincipalName->Names[0]; Reparse = TRUE; } break;
case KRB_NT_UID: KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; DebugLog((DEB_WARN,"Unsupported name type: %d\n",PrincipalName->NameType)); goto Cleanup; }
//
// If we have a sid name, try that first, as it is the fastest.
//
if (SidName.Buffer != NULL) { D_DebugLog((DEB_T_TICKETS,"Checking sid name\n")); KerbErr = KdcGetTicketInfo( &SidName, SAM_OPEN_BY_SID, NULL, // no principal name
NULL, // no realm name,
TicketInfo, pExtendedError, UserHandle, WhichFields, ExtendedFields, UserInfo, GroupMembership ); if (KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Some errors aren't recoverable
//
if ((KerbErr == KDC_ERR_MUST_USE_USER2USER) || (KerbErr == KDC_ERR_SVC_UNAVAILABLE)) { goto Cleanup; }
}
//
// If we are supposed to reparse, then the name contains a name that we
// have to process. Look for '@' and '\' separators.
//
if (Reparse) {
DsysAssert(InputName.Length > 0);
//
// Find the first backslash or '@', or '.' in the name
//
for (Index = InputName.Length/sizeof(WCHAR) - 1; Index > 0 ; Index-- ) { if ((InputName.Buffer[Index] == L'\\') || (InputName.Buffer[Index] == L'@')) { break; } }
//
// If the name did not have one of those two separators, it
// must have been of the form "name"
//
if (Index == 0) {
OutputRealm = *SecData.KdcDnsRealmName(); OutputPrincipal = InputName;
//
// Lookup this name in SAM.
//
CheckSam = TRUE; } else { //
// The name had a '\' or an '@', so pick appart the two
// pieces.
//
//
// If the separator was an '@' then the second part of the name
// is the realm. If it was an '\' then the first part is the
// realm.
//
if (InputName.Buffer[Index] == L'@') {
OutputPrincipal = InputName; OutputPrincipal.Length = (USHORT) Index * sizeof(WCHAR); OutputPrincipal.MaximumLength = (USHORT) Index * sizeof(WCHAR);
OutputRealm.Buffer = &InputName.Buffer[Index+1]; OutputRealm.Length = (USHORT) (InputName.Length - (Index + 1) * sizeof(WCHAR)); OutputRealm.MaximumLength = OutputRealm.Length;
//
// Strip off a trailing '.'
//
if ((OutputRealm.Length > 0) && (OutputRealm.Buffer[-1 + OutputRealm.Length/sizeof(WCHAR)] == L'.')) { OutputRealm.Length -= sizeof(WCHAR); }
} else { DsysAssert(InputName.Buffer[Index] == L'\\');
OutputRealm = InputName; OutputRealm.Length = (USHORT) Index * sizeof(WCHAR); OutputRealm.MaximumLength = (USHORT) Index * sizeof(WCHAR);
OutputPrincipal.Buffer = &InputName.Buffer[Index+1]; OutputPrincipal.Length = (USHORT) (InputName.Length - (Index + 1) * sizeof(WCHAR)); OutputPrincipal.MaximumLength = OutputPrincipal.Length;
}
}
if ((OutputRealm.Length > 0) && (OutputRealm.Buffer[-1 + OutputRealm.Length/sizeof(WCHAR)] == L'.')) { OutputRealm.Length -= sizeof(WCHAR); }
//
// If the domain portion is not for our domain, don't check sam
//
if (!SecData.IsOurRealm( &OutputRealm ))
{ CheckForInterDomain = TRUE; CheckSam = FALSE; } else { //
// If we don't have a separate realm for the name,
// check for interdomain. This is because cross-realm
// requests have our own realm name in the name but
// another realm name in the domain.
//
if (RtlEqualUnicodeString( &OutputPrincipal, SecData.KdcServiceName(), TRUE )) {
if (ARGUMENT_PRESENT(PrincipalRealm)) { //
// Try the supplied realm. If it is present, and points
// to a different domain, lookup up interdomain
//
OutputRealm = *PrincipalRealm; if (!SecData.IsOurRealm( &OutputRealm )) { CheckForInterDomain = TRUE; CheckSam = FALSE; } else { CheckSam = TRUE; } } else { CheckSam = TRUE; } } else { CheckSam = TRUE; }
}
}
// We could end up with CheckUpn and BuildUpn with both client names
// and spns. We need to allow spns of the type
// service/hostname to be looked up in sam (without appending an @realm
// to it). If KDC_NAME_SERVER is passed, it must be an spn, so, we
// don't add the @realm
if (CheckUpn) { if (BuildUpn && ((NameFlags & KDC_NAME_SERVER) == 0)) { D_DebugLog((DEB_T_TICKETS,"Building UPN\n")); KerbErr = KerbConvertKdcNameToString( &Upn, PrincipalName, ARGUMENT_PRESENT(RequestRealm) ? RequestRealm : SecData.KdcDnsRealmName() ); } else { KerbErr = KerbConvertKdcNameToString( &Upn, PrincipalName, NULL // no realm name
); } if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } D_DebugLog((DEB_T_TICKETS,"Lookup up upn/spn %wZ\n",&Upn));
KerbErr = KdcGetTicketInfo( &Upn, (NameFlags & KDC_NAME_SERVER) ? SAM_OPEN_BY_SPN : SAM_OPEN_BY_UPN, NULL, // no principal name
NULL, // no realm name,
TicketInfo, pExtendedError, UserHandle, WhichFields, ExtendedFields, UserInfo, GroupMembership );
if (KERB_SUCCESS(KerbErr)) { goto Cleanup; } //
// Some errors aren't recoverable
//
if ((KerbErr == KDC_ERR_MUST_USE_USER2USER) || (KerbErr == KDC_ERR_SVC_UNAVAILABLE)) { goto Cleanup; }
} //
// Next check for sam account names, as some of these may later be looked
// up as UPNs
//
if (CheckSam) {
D_DebugLog((DEB_T_TICKETS,"Checking name in SAM\n")); KerbErr = KdcGetTicketInfo( &OutputPrincipal, 0, // no lookup flags means sam name
NULL, // no principal name
NULL, // no realm name,
TicketInfo, pExtendedError, UserHandle, WhichFields, ExtendedFields, UserInfo, GroupMembership ); if (KERB_SUCCESS(KerbErr)) { goto Cleanup; } //
// Some errors aren't recoverable
//
if ((KerbErr == KDC_ERR_MUST_USE_USER2USER) || (KerbErr == KDC_ERR_SVC_UNAVAILABLE)) { goto Cleanup; }
}
//
// Now, depending on which flags are set, try to do different things.
//
if (CheckForInterDomain) { D_DebugLog((DEB_T_TICKETS,"Checking name interdomain\n")); //
// If the target name is not KRBTGT, this must be a referral.
//
if (!RtlEqualUnicodeString( &OutputPrincipal, SecData.KdcServiceName(), TRUE)) // case insensitive
{ *Referral = TRUE;
} if ((NameFlags & KDC_NAME_FOLLOW_REFERRALS) == 0) { //
// We need an exact match on the domain name
//
if (*Referral) { DebugLog((DEB_ERROR,"Client asked for principal in another realm but no referrals!\n")); KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; }
//
// We also only accept the krbtgt account name
//
ExactMatch = TRUE;
}
KerbErr = KdcFindReferralTarget( TicketInfo, RealmName, pExtendedError, &OutputRealm, ExactMatch, (NameFlags & KDC_NAME_INBOUND) != 0 ); if (KERB_SUCCESS(KerbErr)) { //
// If the output realm & the realm we asked for is different,
// this is a referral (meaning an we don't have a password
// for the principal name on this machine)
//
if (!KerbCompareUnicodeRealmNames( RealmName, &OutputRealm )) { *Referral = TRUE; } goto Cleanup; }
//
// This is an interdomain TGT, potentialy w/ a target outside of our
// forest. Use the crackname call to determine whether or not to
// allow the call to proceed. If so, go to our root domain.
//
if (!SecData.IsForestRoot()) {
// FESTER:
DebugLog((DEB_T_TICKETS, "Calling KdcCheckForCrossForestReferral %wZ:\n", &OutputRealm));
KerbErr = KdcCheckForCrossForestReferral( TicketInfo, RealmName, pExtendedError, &OutputRealm, NameFlags );
if (KERB_SUCCESS(KerbErr)) { DebugLog((DEB_T_TICKETS, "Got referral (%wZ) destined for x forest - %wZ\n", RealmName,&OutputRealm)); *Referral = TRUE; goto Cleanup;
}
//
// Where did this come from???
// Unless we have knowledge of the DNS domain, we're hosed.
//
else { DebugLog((DEB_T_TICKETS, "Recieved interdomain referral with unknown targetname : %wZ\n", &OutputRealm));
KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; // fake error, see below
goto Cleanup; } }
}
if (CheckGC) { if (Upn.Buffer == NULL) { //
// Build the UPN here.
//
D_DebugLog((DEB_T_TICKETS,"Building UPN\n")); KerbErr = KerbConvertKdcNameToString( &Upn, PrincipalName, ARGUMENT_PRESENT(RequestRealm) ? RequestRealm : SecData.KdcDnsRealmName() ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
} DsysAssert(Upn.Buffer != NULL); D_DebugLog((DEB_T_TICKETS,"Checking name %wZ in GC\n", &Upn));
//
// If the caller doesn't want us to follow referrals, fail here.
//
if ((NameFlags & KDC_NAME_FOLLOW_REFERRALS) == 0) { KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; goto Cleanup; }
//
// This will allow us to open sam locally as well
//
KerbErr = KdcCrackNameAtGC( &Upn, PrincipalName, ((NameFlags & KDC_NAME_CLIENT) != 0) ? DS_USER_PRINCIPAL_NAME : DS_SERVICE_PRINCIPAL_NAME, RealmName, TicketInfo, &Authoritative, Referral, &CrossForest, pExtendedError, UserHandle, WhichFields, ExtendedFields, UserInfo, GroupMembership );
goto Cleanup; }
KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN;
Cleanup: KerbFreeString( &Upn ); KerbFreeString( &LocalPrincipalName ); if (Sid != NULL) { MIDL_user_free(Sid); }
if (KerbErr == KDC_ERR_C_PRINCIPAL_UNKNOWN) { if ((NameFlags & KDC_NAME_SERVER) != 0) { KerbErr = KDC_ERR_S_PRINCIPAL_UNKNOWN; } } return(KerbErr);}
//+---------------------------------------------------------------------------
//
// Function: GetTimeStamps
//
// Synopsis: Gets the current time and clock skew envelope.
//
// Arguments: [ptsFudge] -- (in) amount of clock skew to allow.
// [ptsNow] -- (out) the current time
// [ptsNowPlus] -- (out) the current time plus the skew.
// [ptsNowMinus] -- (out) the current time less the skew
//
// History: 4-23-93 WadeR Created
//
//----------------------------------------------------------------------------
voidGetTimeStamps( IN PLARGE_INTEGER ptsFudge, OUT PLARGE_INTEGER ptsNow, OUT PLARGE_INTEGER ptsNowPlus, OUT PLARGE_INTEGER ptsNowMinus ){ TRACE(KDC, GetTimeStamps, DEB_FUNCTION);
GetSystemTimeAsFileTime((PFILETIME) ptsNow ); ptsNowPlus->QuadPart = ptsNow->QuadPart + ptsFudge->QuadPart; ptsNowMinus->QuadPart = ptsNow->QuadPart - ptsFudge->QuadPart;}
//+-------------------------------------------------------------------------
//
// Function: KdcBuildTicketTimesAndFlags
//
// Synopsis: Computes the times and flags for a new ticket
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcBuildTicketTimesAndFlags( IN ULONG ClientPolicyFlags, IN ULONG ServerPolicyFlags, IN PLARGE_INTEGER DomainTicketLifespan, IN PLARGE_INTEGER DomainTicketRenewspan, IN OPTIONAL PLARGE_INTEGER LogoffTime, IN OPTIONAL PLARGE_INTEGER AccountExpiry, IN PKERB_KDC_REQUEST_BODY RequestBody, IN OPTIONAL PKERB_ENCRYPTED_TICKET SourceTicket, IN OUT PKERB_ENCRYPTED_TICKET Ticket, IN OUT OPTIONAL PKERB_EXT_ERROR ExtendedError ) { KERBERR KerbErr = KDC_ERR_NONE; LARGE_INTEGER RequestEndTime; LARGE_INTEGER RequestStartTime; LARGE_INTEGER RequestRenewTime;
LARGE_INTEGER SourceEndTime; LARGE_INTEGER SourceRenewTime; LARGE_INTEGER SourceStartTime; ULONG SourceTicketFlags = 0; ULONG FinalTicketFlags = 0; ULONG KdcOptions = 0;
LARGE_INTEGER FinalEndTime; LARGE_INTEGER FinalStartTime; LARGE_INTEGER FinalRenewTime; LARGE_INTEGER LocalLogoffTime; BOOLEAN Renewable = FALSE;
LARGE_INTEGER CurrentTime;
TRACE(KDC, KdcBuildTicketTimesAndFlags, DEB_FUNCTION);
GetSystemTimeAsFileTime((PFILETIME)&CurrentTime); FinalEndTime.QuadPart = 0; FinalStartTime.QuadPart = 0; FinalRenewTime.QuadPart = 0;
KdcOptions = KerbConvertFlagsToUlong(&RequestBody->kdc_options);
//
// Get the force logoff time
//
if (ARGUMENT_PRESENT(LogoffTime)) { LocalLogoffTime = *LogoffTime; } else { LocalLogoffTime = tsInfinity; }
//
// Get the request times out of the request
//
if (RequestBody->bit_mask & KERB_KDC_REQUEST_BODY_starttime_present) { KerbConvertGeneralizedTimeToLargeInt( &RequestStartTime, &RequestBody->KERB_KDC_REQUEST_BODY_starttime, NULL ); } else { RequestStartTime.QuadPart = 0; }
KerbConvertGeneralizedTimeToLargeInt( &RequestEndTime, &RequestBody->endtime, NULL );
if (RequestBody->bit_mask & KERB_KDC_REQUEST_BODY_renew_until_present) { KerbConvertGeneralizedTimeToLargeInt( &RequestRenewTime, &RequestBody->KERB_KDC_REQUEST_BODY_renew_until, NULL ); } else { RequestRenewTime.QuadPart = 0; }
//
// Get the times out of the source ticket (if present)
//
if (ARGUMENT_PRESENT(SourceTicket)) { if (SourceTicket->bit_mask & KERB_ENCRYPTED_TICKET_starttime_present) { KerbConvertGeneralizedTimeToLargeInt( &SourceStartTime, &SourceTicket->KERB_ENCRYPTED_TICKET_starttime, NULL );
} else { SourceStartTime.QuadPart = 0; }
KerbConvertGeneralizedTimeToLargeInt( &SourceEndTime, &SourceTicket->endtime, NULL );
if (SourceTicket->bit_mask & KERB_ENCRYPTED_TICKET_renew_until_present) { KerbConvertGeneralizedTimeToLargeInt( &SourceRenewTime, &SourceTicket->KERB_ENCRYPTED_TICKET_renew_until, NULL );
} else { SourceRenewTime.QuadPart = 0; } SourceTicketFlags = KerbConvertFlagsToUlong(&SourceTicket->flags); } else { //
// Set the maximums in this case, which is probably an AS request.
//
SourceStartTime = CurrentTime; SourceEndTime = tsInfinity; SourceRenewTime = tsInfinity; SourceTicketFlags = 0;
//
// Fill in the source flags from what the client policy & domain policy
// allow
//
if ((ClientPolicyFlags & AUTH_REQ_ALLOW_FORWARDABLE) != 0) { SourceTicketFlags |= KERB_TICKET_FLAGS_forwardable; } if ((ClientPolicyFlags & AUTH_REQ_ALLOW_PROXIABLE) != 0) { SourceTicketFlags |= KERB_TICKET_FLAGS_proxiable; } if ((ClientPolicyFlags & AUTH_REQ_ALLOW_POSTDATE) != 0) { SourceTicketFlags |= KERB_TICKET_FLAGS_may_postdate; } if ((ClientPolicyFlags & AUTH_REQ_ALLOW_RENEWABLE) != 0) { SourceTicketFlags |= KERB_TICKET_FLAGS_renewable; }
}
//
// Start computing the flags, from algorithm in RFC1510 appendix A.6
//
//
// Delegation flags
//
if ((ServerPolicyFlags & AUTH_REQ_OK_AS_DELEGATE) != 0) { FinalTicketFlags |= KERB_TICKET_FLAGS_ok_as_delegate; }
//
// Forward flags
//
if (KdcOptions & KERB_KDC_OPTIONS_forwardable) { if ((SourceTicketFlags & KERB_TICKET_FLAGS_forwardable) && (ServerPolicyFlags & AUTH_REQ_ALLOW_FORWARDABLE)) { FinalTicketFlags |= KERB_TICKET_FLAGS_forwardable; } else { DebugLog((DEB_ERROR,"Asked for forwardable but not allowed\n"));// KerbErr = KDC_ERR_BADOPTION;
// goto Cleanup;
} }
if (KdcOptions & KERB_KDC_OPTIONS_forwarded) { if ((SourceTicketFlags & KERB_TICKET_FLAGS_forwardable) && (ServerPolicyFlags & AUTH_REQ_ALLOW_FORWARDABLE)) { FinalTicketFlags |= KERB_TICKET_FLAGS_forwarded; } else { DebugLog((DEB_ERROR,"Asked for forwarded but not allowed\n")); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; } }
if (SourceTicketFlags & KERB_TICKET_FLAGS_forwarded) { FinalTicketFlags |= KERB_TICKET_FLAGS_forwarded; }
//
// preauth flags
//
if (SourceTicketFlags & KERB_TICKET_FLAGS_pre_authent) { FinalTicketFlags |= KERB_TICKET_FLAGS_pre_authent; }
//
// Proxy flags
//
if (KdcOptions & KERB_KDC_OPTIONS_proxiable) { if ((SourceTicketFlags & KERB_TICKET_FLAGS_proxiable) && (ServerPolicyFlags & AUTH_REQ_ALLOW_PROXIABLE)) { FinalTicketFlags |= KERB_TICKET_FLAGS_proxiable; } else { DebugLog((DEB_ERROR,"Asked for proxiable but not allowed\n"));// KerbErr = KDC_ERR_BADOPTION;
// goto Cleanup;
} }
if (KdcOptions & KERB_KDC_OPTIONS_proxy) { if ((SourceTicketFlags & KERB_TICKET_FLAGS_proxiable) && (ServerPolicyFlags & AUTH_REQ_ALLOW_PROXIABLE)) { FinalTicketFlags |= KERB_TICKET_FLAGS_proxy; } else { DebugLog((DEB_ERROR,"Asked for proxy but not allowed\n")); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; } }
//
// Postdate
//
if (KdcOptions & KERB_KDC_OPTIONS_allow_postdate) { if ((SourceTicketFlags & KERB_TICKET_FLAGS_may_postdate) && (ServerPolicyFlags & AUTH_REQ_ALLOW_POSTDATE)) { FinalTicketFlags |= KERB_TICKET_FLAGS_may_postdate; } else { DebugLog((DEB_ERROR,"Asked for postdate but not allowed\n")); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; } }
if (KdcOptions & KERB_KDC_OPTIONS_postdated) { if ((SourceTicketFlags & KERB_TICKET_FLAGS_may_postdate) && (ServerPolicyFlags & AUTH_REQ_ALLOW_POSTDATE)) { FinalTicketFlags |= KERB_TICKET_FLAGS_postdated | KERB_TICKET_FLAGS_invalid;
//
// Start time is required here
//
if (RequestStartTime.QuadPart == 0) { DebugLog((DEB_ERROR, "Asked for postdate but start time not present\n")); KerbErr = KDC_ERR_CANNOT_POSTDATE; goto Cleanup; }
} }
//
// Validate
//
if (KdcOptions & KERB_KDC_OPTIONS_validate) { if ((SourceTicketFlags & KERB_TICKET_FLAGS_invalid) == 0) { DebugLog((DEB_ERROR,"Trying to validate a valid ticket\n")); KerbErr = KDC_ERR_POLICY; goto Cleanup; } if ((SourceStartTime.QuadPart == 0) || (SourceStartTime.QuadPart < CurrentTime.QuadPart - SkewTime.QuadPart)) { DebugLog((DEB_ERROR,"Trying to validate a ticket before it is valid\n")); KerbErr = KRB_AP_ERR_TKT_NYV; goto Cleanup; } }
//
// Start filling in time fields
//
if (ARGUMENT_PRESENT(SourceTicket)) { Ticket->authtime = SourceTicket->authtime; } else { KerbConvertLargeIntToGeneralizedTime( &Ticket->authtime, NULL, &CurrentTime );
}
//
// The times are computed differently for renewing a ticket and for
// getting a new ticket.
//
if ((KdcOptions & KERB_KDC_OPTIONS_renew) != 0) { if ((SourceRenewTime.QuadPart == 0) || (SourceStartTime.QuadPart == 0) || ((SourceTicketFlags & KERB_TICKET_FLAGS_renewable) == 0) || ((ServerPolicyFlags & AUTH_REQ_ALLOW_RENEWABLE) == 0)) { DebugLog((DEB_ERROR,"Trying to renew a non-renewable ticket or against policy\n")); KerbErr = KDC_ERR_BADOPTION; goto Cleanup; }
//
// Make sure the renew time is in the future
//
if (SourceRenewTime.QuadPart < CurrentTime.QuadPart) { DebugLog((DEB_ERROR, "Trying to renew a ticket past its renew time\n")); KerbErr = KRB_AP_ERR_TKT_EXPIRED; goto Cleanup; }
//
// Make sure the end time is in the past
//
if (SourceEndTime.QuadPart < CurrentTime.QuadPart) { DebugLog((DEB_ERROR, "Trying to renew an expired ticket\n")); KerbErr = KRB_AP_ERR_TKT_EXPIRED; goto Cleanup; } FinalStartTime = CurrentTime;
//
// The end time is the minimum of the current time plus lifespan
// of the old ticket and the renew until time of the old ticket
//
FinalEndTime.QuadPart = CurrentTime.QuadPart + (SourceEndTime.QuadPart - SourceStartTime.QuadPart); if (FinalEndTime.QuadPart > SourceRenewTime.QuadPart) { FinalEndTime = SourceRenewTime; } FinalRenewTime = SourceRenewTime; FinalTicketFlags = SourceTicketFlags;
Renewable = TRUE; } else { //
// Compute start and end times for normal tickets
//
//
// Set the start time
//
if (RequestStartTime.QuadPart == 0) { FinalStartTime = CurrentTime; } else { FinalStartTime = RequestStartTime; }
//
// Set the end time
//
if (RequestEndTime.QuadPart == 0) { FinalEndTime = tsInfinity; } else { FinalEndTime = RequestEndTime; }
if (FinalEndTime.QuadPart > SourceEndTime.QuadPart) { FinalEndTime = SourceEndTime; }
if (FinalEndTime.QuadPart > CurrentTime.QuadPart + DomainTicketLifespan->QuadPart) { FinalEndTime.QuadPart = CurrentTime.QuadPart + DomainTicketLifespan->QuadPart; }
//
// Check for renewable-ok
//
if ((KdcOptions & KERB_KDC_OPTIONS_renewable_ok) && (FinalEndTime.QuadPart < RequestEndTime.QuadPart) && (SourceTicketFlags & KERB_TICKET_FLAGS_renewable)) { KdcOptions |= KERB_KDC_OPTIONS_renewable; RequestRenewTime = RequestEndTime;
//
// Make sure that the source ticket had a renewtime (it
// should because it is renewable)
//
DsysAssert(SourceRenewTime.QuadPart != 0); if (RequestRenewTime.QuadPart > SourceRenewTime.QuadPart) { RequestRenewTime = SourceRenewTime; } } }
if (!Renewable) { //
// Compute renew times
//
if (RequestRenewTime.QuadPart == 0) { RequestRenewTime = tsInfinity; }
if ((KdcOptions & KERB_KDC_OPTIONS_renewable) && (SourceTicketFlags & KERB_TICKET_FLAGS_renewable) && (ServerPolicyFlags & AUTH_REQ_ALLOW_RENEWABLE)) { FinalRenewTime = RequestRenewTime; if (FinalRenewTime.QuadPart > FinalStartTime.QuadPart + DomainTicketRenewspan->QuadPart) { FinalRenewTime.QuadPart = FinalStartTime.QuadPart + DomainTicketRenewspan->QuadPart; }
DsysAssert(SourceRenewTime.QuadPart != 0);
if (FinalRenewTime.QuadPart > SourceRenewTime.QuadPart) { FinalRenewTime = SourceRenewTime; } FinalTicketFlags |= KERB_TICKET_FLAGS_renewable;
} else { FinalRenewTime.QuadPart = 0; } }
//
// Make sure the final ticket is valid
//
if (FinalStartTime.QuadPart > FinalEndTime.QuadPart) { DebugLog((DEB_ERROR,"Client asked for endtime before starttime\n")); KerbErr = KDC_ERR_BADOPTION;
FILL_EXT_ERROR_EX(ExtendedError, STATUS_TIME_DIFFERENCE_AT_DC, FILENO, __LINE__); goto Cleanup; }
//
// Don't bother with this check - it doesn't really hurt to have a
// renew time less than an end time
//
//
// if ((FinalRenewTime.QuadPart != 0) &&
// (FinalRenewTime.QuadPart < FinalEndTime.QuadPart))
// {
// DebugLog((DEB_ERROR,"Client asked for renew time before endtime\n"));
// KerbErr = KDC_ERR_BADOPTION;
// goto Cleanup;
// }
//
//
// Incorporate the logoff time (according to logon hours) by reseting
// both the final end time and final renew time
//
if (FinalEndTime.QuadPart > LocalLogoffTime.QuadPart) { FinalEndTime.QuadPart = LocalLogoffTime.QuadPart; }
if (FinalRenewTime.QuadPart > LocalLogoffTime.QuadPart) { FinalRenewTime.QuadPart = LocalLogoffTime.QuadPart; }
//
// Tickets good only until acct expires.
// We make the assumption that the sam has
// already checked this against the current time
// when we're checking the logon restrictions.
//
if ((ARGUMENT_PRESENT(AccountExpiry) && (AccountExpiry->QuadPart != 0 ))) { if (FinalEndTime.QuadPart > AccountExpiry->QuadPart) { FinalEndTime.QuadPart = AccountExpiry->QuadPart; }
if (FinalRenewTime.QuadPart > AccountExpiry->QuadPart) { FinalRenewTime.QuadPart = AccountExpiry->QuadPart; }
}
//
// Fill in the times in the ticket
//
KerbConvertLargeIntToGeneralizedTime( &Ticket->KERB_ENCRYPTED_TICKET_starttime, NULL, &FinalStartTime ); Ticket->bit_mask |= KERB_ENCRYPTED_TICKET_starttime_present;
KerbConvertLargeIntToGeneralizedTime( &Ticket->endtime, NULL, &FinalEndTime );
if (FinalRenewTime.QuadPart != 0) { KerbConvertLargeIntToGeneralizedTime( &Ticket->KERB_ENCRYPTED_TICKET_renew_until, NULL, &FinalRenewTime ); Ticket->bit_mask |= KERB_ENCRYPTED_TICKET_renew_until_present;
}
//
// Copy in the flags
//
DsysAssert(Ticket->flags.length == sizeof(ULONG) * 8); *((PULONG) Ticket->flags.value) = KerbConvertUlongToFlagUlong(FinalTicketFlags);Cleanup: return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KdcGetUserKeys
//
// Synopsis: retrieves user keys
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcGetUserKeys( IN SAMPR_HANDLE UserHandle, IN PUSER_INTERNAL6_INFORMATION UserInfo, OUT PKERB_STORED_CREDENTIAL * Passwords, OUT PKERB_STORED_CREDENTIAL * OldPasswords, OUT PKERB_EXT_ERROR pExtendedError ){ KERBERR KerbErr = KDC_ERR_NONE; NTSTATUS Status; PKERB_STORED_CREDENTIAL Keys = NULL; PKERB_STORED_CREDENTIAL StoredCreds = NULL; PKERB_STORED_CREDENTIAL Cred64 = NULL; ULONG CredentialSize = 0; ULONG NewCredentialCount = 0; ULONG NewCredentialSize = 0; ULONG Index, CredentialIndex = 0, Offset; USHORT Flags = 0; PUCHAR Base; BOOLEAN UseStoredCreds = FALSE, UnMarshalledCreds = FALSE; PCRYPTO_SYSTEM NullCryptoSystem = NULL; BOOLEAN UseBuiltins = TRUE; PNT_OWF_PASSWORD OldNtPassword = NULL; NT_OWF_PASSWORD OldPasswordData = {0}; PUSER_ALL_INFORMATION UserAll = &UserInfo->I1;
TRACE(KDC, KdcGetUserKeys, DEB_FUNCTION);
//
// First get any primary credentials
//
Status = SamIRetrievePrimaryCredentials( UserHandle, &GlobalKerberosName, (PVOID *) &StoredCreds, &CredentialSize );
//
// if there is not value, it's O.K we will default to using
// Builtin credentials
//
if (STATUS_DS_NO_ATTRIBUTE_OR_VALUE==Status) { Status = STATUS_SUCCESS; }
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to retrieve primary credentials: 0x%x\n",Status)); KerbErr = KRB_ERR_GENERIC; FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__); goto Cleanup; }
//
// We need to unmarshall these creds from the DS
// They'll be stored in 32 bit format, but we've
// got to put them into 64 bit format.
// KerbUnpack32BitStoredCredential()
//
#ifdef _WIN64
Status = KdcUnpack32BitStoredCredential( (PKERB_STORED_CREDENTIAL32) StoredCreds, &Cred64, &CredentialSize );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to unpack 32bit stored credential, contact Todds - %x\n", Status)); DsysAssert(FALSE); // FATAL - If we ever fail above, contact Todds
goto Cleanup; }
if (NULL != StoredCreds) { LocalFree(StoredCreds); StoredCreds = Cred64; UnMarshalledCreds = TRUE; // diff't allocator
}
#endif
//
// First compute the current passwords
//
//
// Figure out the size of the stored credentials
//
if ((StoredCreds != NULL) && (CredentialSize > sizeof(KERB_STORED_CREDENTIAL) && (StoredCreds->Revision == KERB_PRIMARY_CRED_REVISION) && (CredentialSize > (sizeof(KERB_STORED_CREDENTIAL) - (ANYSIZE_ARRAY * sizeof(KERB_KEY_DATA)) + StoredCreds->CredentialCount * sizeof(KERB_KEY_DATA) ))) && (StoredCreds->DefaultSalt.Length + (ULONG_PTR) StoredCreds->DefaultSalt.Buffer <= CredentialSize )) { UseStoredCreds = TRUE; Flags = StoredCreds->Flags; if ((UserAll->UserAccountControl & USER_USE_DES_KEY_ONLY) != 0) { UseBuiltins = FALSE; }
NewCredentialSize += StoredCreds->DefaultSalt.Length;
for (Index = 0; Index < StoredCreds->CredentialCount ; Index++ ) { //
// Validat the offsets
//
if ((StoredCreds->Credentials[Index].Key.keyvalue.length + (ULONG_PTR) StoredCreds->Credentials[Index].Key.keyvalue.value <= CredentialSize ) && (StoredCreds->Credentials[Index].Salt.Length + (ULONG_PTR) StoredCreds->Credentials[Index].Salt.Buffer <= CredentialSize ))
{ NewCredentialCount++; NewCredentialSize += sizeof(KERB_KEY_DATA) + StoredCreds->Credentials[Index].Key.keyvalue.length + StoredCreds->Credentials[Index].Salt.Length; } else { LPWSTR Buff = NULL;
DebugLog((DEB_ERROR,"Corrupt credentials for user %wZ\n", &UserAll->UserName ));
DsysAssert(FALSE);
Buff = KerbBuildNullTerminatedString(&UserAll->UserName); if (NULL == Buff) { break; }
ReportServiceEvent( EVENTLOG_ERROR_TYPE, KDCEVENT_CORRUPT_CREDENTIALS, 0, // no raw data
NULL, // no raw data
1, // number of strings
Buff );
UseStoredCreds = FALSE; NewCredentialCount = 0; NewCredentialSize = 0;
if (NULL != Buff) { MIDL_user_free(Buff); }
break; }
}
}
//
// If the password length is the size of the OWF password, use it as the
// key. Otherwise hash it. This is for the case where not password is
// set.
//
if (UseBuiltins) { //
// Add a key for RC4_HMAC_NT
//
if (UserAll->NtPasswordPresent) { NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD); NewCredentialCount++;
}#ifndef DONT_SUPPORT_OLD_TYPES_KDC
//
// Add a key for RC4_HMAC_OLD & MD4_RC4
if (UserAll->NtPasswordPresent) { NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD); NewCredentialCount++;
NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD); NewCredentialCount++;
}#endif
//
// if there is no password, treat it as blank
//
if (!(UserAll->LmPasswordPresent || UserAll->NtPasswordPresent)) { NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD); NewCredentialCount++; }#ifndef DONT_SUPPORT_OLD_TYPES_KDC
if (!(UserAll->LmPasswordPresent || UserAll->NtPasswordPresent)) { NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD); NewCredentialCount++;
NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD); NewCredentialCount++; }#endif
}
//
// Add a key for the null crypto system
//
Status = CDLocateCSystem( KERB_ETYPE_NULL, &NullCryptoSystem ); if (NT_SUCCESS(Status)) { NewCredentialSize += sizeof(KERB_KEY_DATA) + NullCryptoSystem->KeySize; NewCredentialCount++; }
//
// Add the space for the base structure
//
NewCredentialSize += sizeof(KERB_STORED_CREDENTIAL) - (ANYSIZE_ARRAY * sizeof(KERB_KEY_DATA));
//
// Allocate space for the credentials and start filling them in
//
Keys = (PKERB_STORED_CREDENTIAL) MIDL_user_allocate(NewCredentialSize); if (Keys == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } RtlZeroMemory( Keys, NewCredentialSize );
Offset = sizeof(KERB_STORED_CREDENTIAL) - (ANYSIZE_ARRAY * sizeof(KERB_KEY_DATA)) + NewCredentialCount * sizeof(KERB_KEY_DATA);
Base = (PUCHAR) Keys;
Keys->CredentialCount = (USHORT) NewCredentialCount; Keys->OldCredentialCount = 0; Keys->Revision = KERB_PRIMARY_CRED_REVISION; Keys->Flags = Flags;
//
// Add the credentials built from the OWF passwords first.
//
if (UseBuiltins) { //
// Create the key for RC4_HMAC_NT
//
if (UserAll->NtPasswordPresent) { RtlCopyMemory( Base+Offset, UserAll->NtPassword.Buffer, UserAll->NtPassword.Length );
KerbErr = KerbCreateKeyFromBuffer( &Keys->Credentials[CredentialIndex].Key, Base+Offset, UserAll->NtPassword.Length, KERB_ETYPE_RC4_HMAC_NT ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
Offset += UserAll->NtPassword.Length;
//
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset); CredentialIndex++; }#ifndef DONT_SUPPORT_OLD_TYPES_KDC
//
// Create the key for RC4_HMAC_OLD
//
if (UserAll->NtPasswordPresent) { RtlCopyMemory( Base+Offset, UserAll->NtPassword.Buffer, UserAll->NtPassword.Length );
KerbErr = KerbCreateKeyFromBuffer( &Keys->Credentials[CredentialIndex].Key, Base+Offset, UserAll->NtPassword.Length, KERB_ETYPE_RC4_HMAC_OLD ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } Offset += UserAll->NtPassword.Length; //
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset);
CredentialIndex++;
RtlCopyMemory( Base+Offset, UserAll->NtPassword.Buffer, UserAll->NtPassword.Length );
KerbErr = KerbCreateKeyFromBuffer( &Keys->Credentials[CredentialIndex].Key, Base+Offset, UserAll->NtPassword.Length, KERB_ETYPE_RC4_MD4 ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } Offset += UserAll->NtPassword.Length;
//
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset); CredentialIndex++;
}#endif
//
// If no passwords were present, add the null password
//
if (!(UserAll->LmPasswordPresent || UserAll->NtPasswordPresent)) { KERB_ENCRYPTION_KEY TempKey; UNICODE_STRING NullString; RtlInitUnicodeString( &NullString, NULL ); KerbErr = KerbHashPassword( &NullString, KERB_ETYPE_RC4_HMAC_NT, &TempKey ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
Keys->Credentials[CredentialIndex].Key = TempKey; Keys->Credentials[CredentialIndex].Key.keyvalue.value = Base + Offset; RtlCopyMemory( Base+Offset, TempKey.keyvalue.value, TempKey.keyvalue.length );
Offset += TempKey.keyvalue.length;
//
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset);
CredentialIndex++; KerbFreeKey(&TempKey);
}#ifndef DONT_SUPPORT_OLD_TYPES_KDC
if (!(UserAll->LmPasswordPresent || UserAll->NtPasswordPresent)) { KERB_ENCRYPTION_KEY TempKey; UNICODE_STRING NullString; RtlInitUnicodeString( &NullString, NULL ); KerbErr = KerbHashPassword( &NullString, KERB_ETYPE_RC4_HMAC_OLD, &TempKey ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
Keys->Credentials[CredentialIndex].Key = TempKey; Keys->Credentials[CredentialIndex].Key.keyvalue.value = Base + Offset; RtlCopyMemory( Base+Offset, TempKey.keyvalue.value, TempKey.keyvalue.length );
Offset += TempKey.keyvalue.length;
//
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset);
CredentialIndex++; KerbFreeKey(&TempKey);
KerbErr = KerbHashPassword( &NullString, KERB_ETYPE_RC4_MD4, &TempKey ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
Keys->Credentials[CredentialIndex].Key = TempKey; Keys->Credentials[CredentialIndex].Key.keyvalue.value = Base + Offset; RtlCopyMemory( Base+Offset, TempKey.keyvalue.value, TempKey.keyvalue.length );
Offset += TempKey.keyvalue.length; CredentialIndex++; KerbFreeKey(&TempKey); }
#endif
} //
// Add the null crypto system
//
if (NullCryptoSystem != NULL) { UNICODE_STRING NullString; RtlInitUnicodeString( &NullString, NULL );
Status = NullCryptoSystem->HashString( &NullString, Base+Offset ); DsysAssert(NT_SUCCESS(Status));
Keys->Credentials[CredentialIndex].Key.keyvalue.value = Base+Offset; Keys->Credentials[CredentialIndex].Key.keyvalue.length = NullCryptoSystem->KeySize; Keys->Credentials[CredentialIndex].Key.keytype = KERB_ETYPE_NULL;
Offset += NullCryptoSystem->KeySize;
CredentialIndex++;
}
//
// Now add the stored passwords
//
if (UseStoredCreds) { //
// Copy the default salt
//
if (StoredCreds->DefaultSalt.Buffer != NULL) { Keys->DefaultSalt.Buffer = (LPWSTR) (Base+Offset);
RtlCopyMemory( Base + Offset, (PBYTE) StoredCreds->DefaultSalt.Buffer + (ULONG_PTR) StoredCreds, StoredCreds->DefaultSalt.Length ); Offset += StoredCreds->DefaultSalt.Length; Keys->DefaultSalt.Length = Keys->DefaultSalt.MaximumLength = StoredCreds->DefaultSalt.Length; }
for (Index = 0; Index < StoredCreds->CredentialCount ; Index++ ) { //
// Copy the key
//
Keys->Credentials[CredentialIndex] = StoredCreds->Credentials[Index]; Keys->Credentials[CredentialIndex].Key.keyvalue.value = Base+Offset; RtlCopyMemory( Keys->Credentials[CredentialIndex].Key.keyvalue.value, StoredCreds->Credentials[Index].Key.keyvalue.value + (ULONG_PTR) StoredCreds, StoredCreds->Credentials[Index].Key.keyvalue.length ); Offset += StoredCreds->Credentials[Index].Key.keyvalue.length;
//
// Copy the salt
//
if (StoredCreds->Credentials[Index].Salt.Buffer != NULL) { Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base+Offset);
RtlCopyMemory( Base + Offset, (PBYTE) StoredCreds->Credentials[Index].Salt.Buffer + (ULONG_PTR) StoredCreds, StoredCreds->Credentials[Index].Salt.Length ); Offset += StoredCreds->Credentials[Index].Salt.Length; Keys->Credentials[CredentialIndex].Salt.Length = Keys->Credentials[CredentialIndex].Salt.MaximumLength = StoredCreds->Credentials[Index].Salt.Length; }
CredentialIndex++; } }
DsysAssert(CredentialIndex == NewCredentialCount); DsysAssert(Offset == NewCredentialSize); *Passwords = Keys; Keys = NULL;
//
// Now compute the old passwords
//
//
// Figure out the size of the stored credentials
//
NewCredentialCount = 0; NewCredentialSize = 0; CredentialIndex = 0;
if ((StoredCreds != NULL) && (CredentialSize > sizeof(KERB_STORED_CREDENTIAL) && (StoredCreds->Revision == KERB_PRIMARY_CRED_REVISION) && (CredentialSize > (sizeof(KERB_STORED_CREDENTIAL) - (ANYSIZE_ARRAY * sizeof(KERB_KEY_DATA)) + (StoredCreds->OldCredentialCount + StoredCreds->CredentialCount) * sizeof(KERB_KEY_DATA) )))) { UseStoredCreds = TRUE; Flags = StoredCreds->Flags; if ((UserAll->UserAccountControl & USER_USE_DES_KEY_ONLY) != 0) { UseBuiltins = FALSE; }
for (Index = 0; Index < StoredCreds->OldCredentialCount ; Index++ ) { if (StoredCreds->Credentials[StoredCreds->CredentialCount + Index].Key.keyvalue.length + (ULONG_PTR) StoredCreds->Credentials[StoredCreds->CredentialCount + Index].Key.keyvalue.value <= CredentialSize ) { NewCredentialCount++; NewCredentialSize += sizeof(KERB_KEY_DATA) + StoredCreds->Credentials[StoredCreds->CredentialCount + Index].Key.keyvalue.length; } else { LPWSTR Buff = NULL;
DebugLog((DEB_ERROR,"Corrupt credentials for user %wZ\n", &UserAll->UserName ));
DsysAssert(FALSE);
Buff = KerbBuildNullTerminatedString(&UserAll->UserName); if (NULL == Buff) { break; }
ReportServiceEvent( EVENTLOG_ERROR_TYPE, KDCEVENT_CORRUPT_CREDENTIALS, 0, // no raw data
NULL, // no raw data
1, // number of strings
Buff );
if (NULL != Buff) { MIDL_user_free(Buff); }
UseStoredCreds = FALSE; NewCredentialCount = 0; NewCredentialSize = 0; break; }
}
}
//
// If the password length is the size of the OWF password, use it as the
// key. Otherwise hash it. This is for the case where not password is
// set.
//
if (UseBuiltins) { PSAMI_PRIVATE_DATA_PASSWORD_RELATIVE_TYPE PrivateData;
if (UserAll->PrivateData.Length >= sizeof(SAMI_PRIVATE_DATA_PASSWORD_RELATIVE_TYPE)) { PrivateData= (PSAMI_PRIVATE_DATA_PASSWORD_RELATIVE_TYPE) UserAll->PrivateData.Buffer; if (PrivateData->DataType == SamPrivateDataPassword) { //
// The old password is the 2nd entry
//
if (PrivateData->NtPasswordHistory.Length >= 2* sizeof(ENCRYPTED_NT_OWF_PASSWORD)) { //
// Decrypt the old password with the RID. The history starts
// at the first byte after the structure.
//
Status = RtlDecryptNtOwfPwdWithIndex( (PENCRYPTED_NT_OWF_PASSWORD) (PrivateData + 1) + 1, (PLONG)&UserAll->UserId, &OldPasswordData ); if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to decrypt old password: 0x%x\n",Status)); KerbErr = KRB_ERR_GENERIC; goto Cleanup; } OldNtPassword = &OldPasswordData ; } } } if (OldNtPassword != NULL) { //
// Add an RC4_HMAC_NT key
//
NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD); NewCredentialCount++;
#ifndef DONT_SUPPORT_OLD_TYPES_KDC
//
// Add a key for RC4_HMAC_OLD & RC4_MD4
//
NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD);
NewCredentialCount++; NewCredentialSize += sizeof(KERB_KEY_DATA) + sizeof(NT_OWF_PASSWORD);
NewCredentialCount++;#endif
}
}
//
// Add the space for the base structure
//
NewCredentialSize += sizeof(KERB_STORED_CREDENTIAL) - (ANYSIZE_ARRAY * sizeof(KERB_KEY_DATA));
//
// Allocate space for the credentials and start filling them in
//
Keys = (PKERB_STORED_CREDENTIAL) MIDL_user_allocate(NewCredentialSize); if (Keys == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } RtlZeroMemory( Keys, NewCredentialSize );
Offset = sizeof(KERB_STORED_CREDENTIAL) - (ANYSIZE_ARRAY * sizeof(KERB_KEY_DATA)) + NewCredentialCount * sizeof(KERB_KEY_DATA);
Base = (PUCHAR) Keys;
Keys->CredentialCount = (USHORT) NewCredentialCount; Keys->OldCredentialCount = 0; Keys->Revision = KERB_PRIMARY_CRED_REVISION; Keys->Flags = Flags;
//
// Add the credentials built from the OWF passwords first. We don't
// include a blank password or the null crypt system because they
// were present in the normal password
//
if (UseBuiltins) { //
// Create the key for RC4_HMAC_NT
//
if (OldNtPassword != NULL) {
//
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset);
RtlCopyMemory( Base+Offset, OldNtPassword, NT_OWF_PASSWORD_LENGTH );
KerbErr = KerbCreateKeyFromBuffer( &Keys->Credentials[CredentialIndex++].Key, Base+Offset, UserAll->NtPassword.Length, KERB_ETYPE_RC4_HMAC_NT ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
// We don't know any other way to get the old password length. If
// it was present, it must be sizeof(NT_OWF_PASSWORD)
Offset += sizeof(NT_OWF_PASSWORD);
#ifndef DONT_SUPPORT_OLD_TYPES_KDC
//
// Create the key for RC4_HMAC_OLD
//
//
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset);
RtlCopyMemory( Base+Offset, OldNtPassword, NT_OWF_PASSWORD_LENGTH );
KerbErr = KerbCreateKeyFromBuffer( &Keys->Credentials[CredentialIndex++].Key, Base+Offset, UserAll->NtPassword.Length, KERB_ETYPE_RC4_HMAC_OLD ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
// We don't know any other way to get the old password length. If
// it was present, it must be sizeof(NT_OWF_PASSWORD)
Offset += sizeof(NT_OWF_PASSWORD);
//
// Create the key for RC4_HMAC_OLD
//
//
// Set an empty salt for this key
//
Keys->Credentials[CredentialIndex].Salt.Length = 0; Keys->Credentials[CredentialIndex].Salt.MaximumLength = 0; Keys->Credentials[CredentialIndex].Salt.Buffer = (LPWSTR) (Base + Offset);
RtlCopyMemory( Base+Offset, OldNtPassword, NT_OWF_PASSWORD_LENGTH );
KerbErr = KerbCreateKeyFromBuffer( &Keys->Credentials[CredentialIndex++].Key, Base+Offset, UserAll->NtPassword.Length, KERB_ETYPE_RC4_MD4 ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
// We don't know any other way to get the old password length. If
// it was present, it must be sizeof(NT_OWF_PASSWORD)
Offset += sizeof(NT_OWF_PASSWORD);
#endif
} } //
// Now add the stored passwords
//
if (UseStoredCreds) { for (Index = 0; Index < StoredCreds->OldCredentialCount ; Index++ ) { Keys->Credentials[CredentialIndex] = StoredCreds->Credentials[StoredCreds->CredentialCount + Index]; Keys->Credentials[CredentialIndex].Key.keyvalue.value = Base+Offset; RtlCopyMemory( Keys->Credentials[CredentialIndex].Key.keyvalue.value, StoredCreds->Credentials[StoredCreds->CredentialCount + Index].Key.keyvalue.value + (ULONG_PTR) StoredCreds, StoredCreds->Credentials[StoredCreds->CredentialCount + Index].Key.keyvalue.length ); Offset += StoredCreds->Credentials[StoredCreds->CredentialCount + Index].Key.keyvalue.length;
//
// Note - don't use salt here.
//
CredentialIndex++; } }
DsysAssert(CredentialIndex == NewCredentialCount); DsysAssert(Offset == NewCredentialSize); *OldPasswords = Keys; Keys = NULL;
KerbErr = KDC_ERR_NONE;
Cleanup: if (StoredCreds != NULL) { if (!UnMarshalledCreds) { LocalFree(StoredCreds); } else { MIDL_user_free(Cred64); } } if (Keys != NULL) { MIDL_user_free(Keys); } return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KerbDuplicateCredentials
//
// Synopsis: Copies a set of credentials (passwords)
//
// Effects: allocates output with MIDL_user_allocate
//
// Arguments: NewCredentials - recevies new set of credentials
// OldCredentials - contains credentials to copy
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcDuplicateCredentials( OUT PKERB_STORED_CREDENTIAL * NewCredentials, OUT PULONG ReturnCredentialSize, IN PKERB_STORED_CREDENTIAL OldCredentials, IN BOOLEAN MarshallKeys ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_STORED_CREDENTIAL Credential = NULL; ULONG CredentialSize; USHORT Index; PBYTE Where; LONG_PTR Offset;
TRACE(KDC, KdcDuplicateCredentials, DEB_FUNCTION);
//
// If there were no credentials, so be it. We can live with that.
//
if (OldCredentials == NULL) { *NewCredentials = NULL; goto Cleanup; }
//
// Calculate the size of the new credentials by summing the size of
// the base structure plus the keys
//
CredentialSize = sizeof(KERB_STORED_CREDENTIAL) - ANYSIZE_ARRAY * sizeof(KERB_KEY_DATA) + OldCredentials->CredentialCount * sizeof(KERB_KEY_DATA) + OldCredentials->DefaultSalt.Length; for ( Index = 0; Index < OldCredentials->CredentialCount + OldCredentials->OldCredentialCount ; Index++ ) { CredentialSize += OldCredentials->Credentials[Index].Key.keyvalue.length + OldCredentials->Credentials[Index].Salt.Length; }
//
// Allocate the new credential and copy over the old credentials
//
Credential = (PKERB_STORED_CREDENTIAL) MIDL_user_allocate(CredentialSize); if (Credential == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
Credential->Revision = OldCredentials->Revision; Credential->Flags = OldCredentials->Flags; Credential->CredentialCount = OldCredentials->CredentialCount; Credential->OldCredentialCount = OldCredentials->OldCredentialCount;
//
// Set the offset for data to be after the last array element
//
RtlCopyMemory( &Credential->Credentials[0], &OldCredentials->Credentials[0], OldCredentials->CredentialCount * sizeof(KERB_KEY_DATA) );
Where = (PBYTE) &Credential->Credentials[Credential->CredentialCount];
if (MarshallKeys) { Offset = (LONG_PTR) Credential; } else { Offset = 0; }
Credential->DefaultSalt = OldCredentials->DefaultSalt; if (Credential->DefaultSalt.Buffer != NULL) { Credential->DefaultSalt.Buffer = (LPWSTR) (Where - Offset); RtlCopyMemory( Where, OldCredentials->DefaultSalt.Buffer, Credential->DefaultSalt.Length ); Where += Credential->DefaultSalt.Length; }
for ( Index = 0; Index < OldCredentials->CredentialCount + OldCredentials->OldCredentialCount ; Index++ ) { Credential->Credentials[Index] = OldCredentials->Credentials[Index]; Credential->Credentials[Index].Key.keyvalue.value = (Where - Offset); RtlCopyMemory( Where, OldCredentials->Credentials[Index].Key.keyvalue.value, OldCredentials->Credentials[Index].Key.keyvalue.length ); Where += OldCredentials->Credentials[Index].Key.keyvalue.length;
if (Credential->Credentials[Index].Salt.Buffer != NULL) { Credential->Credentials[Index].Salt.Buffer = (LPWSTR) (Where - Offset);
RtlCopyMemory( Where, OldCredentials->Credentials[Index].Salt.Buffer, OldCredentials->Credentials[Index].Salt.Length ); Where += OldCredentials->Credentials[Index].Salt.Length; } } DsysAssert(Where - (PUCHAR) Credential == (LONG) CredentialSize);
*NewCredentials = Credential; Credential = NULL; *ReturnCredentialSize = CredentialSize;
Cleanup: if (Credential != NULL) { MIDL_user_free(Credential); } return(KerbErr);}
//+---------------------------------------------------------------------------
//
// Function: KdcGetTicketInfo
//
// Synopsis: Gets the info needed to build a ticket for a principal
// using name of the principal.
//
//
// Effects:
//
// Arguments: Name -- (in) Normalized of principal
// LookupFlags - Flags for SamIGetUserLogonInformation
// PrincipalName - (in) non-normalized principal name
// Realm - (in) client realm, to be used when mapping principals
// from another domain onto accounts in this one.
// TicketInfo -- (out) Ticket info.
// pExtendedError -- (out) Extended error
// UserHandle - receives handle to the user
// WhichFields - optionally specifies additional fields to fetch for RetUserInfo
// ExtendedFields - optionally specifies extended fields to fetch for RetUserInfo
// RetUserInfo - Optionally receives the user all info structure
// GroupMembership - Optionally receives the user's group membership
//
// Returns: KerbErr
//
// Algorithm:
//
// History: 10-Nov-93 WadeR Created
// 22-Mar-95 SuChang Modified to use RIDs
//
//
//----------------------------------------------------------------------------
KERBERRKdcGetTicketInfo( IN PUNICODE_STRING GenericUserName, IN ULONG LookupFlags, IN OPTIONAL PKERB_INTERNAL_NAME PrincipalName, IN OPTIONAL PKERB_REALM Realm, OUT PKDC_TICKET_INFO TicketInfo, OUT PKERB_EXT_ERROR pExtendedError, OUT OPTIONAL SAMPR_HANDLE * UserHandle, IN OPTIONAL ULONG WhichFields, IN OPTIONAL ULONG ExtendedFields, OUT OPTIONAL PUSER_INTERNAL6_INFORMATION * RetUserInfo, OUT OPTIONAL PSID_AND_ATTRIBUTES_LIST GroupMembership ){ NTSTATUS Status = STATUS_NOT_FOUND; KERBERR KerbErr = KDC_ERR_NONE; SID_AND_ATTRIBUTES_LIST LocalMembership; SAMPR_HANDLE LocalUserHandle = NULL; PUSER_INTERNAL6_INFORMATION UserInfo = NULL; PUSER_ALL_INFORMATION UserAll; GUID testGuid; UNICODE_STRING TUserName = {0}; PUNICODE_STRING UserName = NULL; UNICODE_STRING AlternateName = {0}; UNICODE_STRING TempString = {0}; BOOL IsValidGuid = FALSE;
//
// Add the fields we are going to require locally to the WhichFields parameter
//
WhichFields |= USER_ALL_KDC_GET_USER_KEYS | USER_ALL_PASSWORDMUSTCHANGE | USER_ALL_USERACCOUNTCONTROL | USER_ALL_USERID | USER_ALL_USERNAME;
TUserName = *GenericUserName; UserName = &TUserName;
TRACE(KDC, GetTicketInfo, DEB_FUNCTION);
RtlZeroMemory(TicketInfo, sizeof(KDC_TICKET_INFO)); RtlZeroMemory(&LocalMembership, sizeof(SID_AND_ATTRIBUTES_LIST));
if (ARGUMENT_PRESENT( RetUserInfo )) { *RetUserInfo = NULL; }
if (!ARGUMENT_PRESENT(GroupMembership)) { LookupFlags |= SAM_NO_MEMBERSHIPS; }
//
// If this is the krbtgt account, use the cached version
//
if (!ARGUMENT_PRESENT(UserHandle) && !ARGUMENT_PRESENT(RetUserInfo) && !ARGUMENT_PRESENT(GroupMembership) && (KdcState == Running) && RtlEqualUnicodeString( SecData.KdcServiceName(), UserName, TRUE // case insensitive
)) { //
// Duplicate the cached copy of the KRBTGT information
//
D_DebugLog((DEB_T_TICKETS, "Using cached ticket info for krbtgt account\n"));
KerbErr = SecData.GetKrbtgtTicketInfo( TicketInfo ); if (KERB_SUCCESS(KerbErr)) { goto Cleanup; }
}
//
// If we cracked this name at a dc, and it's the same domain, we will
// not be able to generate a referral ticket. So, we need to be able
// to open the sam locally. Further more, crack name and sam lookups
// are much faster with guids (even though we have to do the string
// to guid operation.
//
if (LookupFlags & SAM_OPEN_BY_GUID) { if (IsValidGuid = IsStringGuid(UserName->Buffer, &testGuid)) { UserName->Buffer = (LPWSTR)&testGuid; } }
//
// The caller may provide an empty user name so as to force the lookup
// using the AltSecId. This is used when mapping names from an MIT realm
//
if (UserName->Length > 0) { //
// Open the user account
//
if (IsValidGuid) { D_DebugLog(( DEB_TRACE, "Looking for account %wZ\n", UserName )); } else { D_DebugLog(( DEB_TRACE, "Looking for account %wZ mapped to Guid\n", GenericUserName )); KerbPrintGuid (DEB_TRACE, "", &testGuid); }
Status = SamIGetUserLogonInformation2( GlobalAccountDomainHandle, LookupFlags, UserName, WhichFields, ExtendedFields, &UserInfo, &LocalMembership, &LocalUserHandle );
//
// WASBUG: For now, if we couldn't find the account try again
// with a '$' at the end (if there wasn't one already)
//
if (((Status == STATUS_NOT_FOUND) || (Status == STATUS_NO_SUCH_USER)) && (!IsValidGuid) && ((LookupFlags & ~SAM_NO_MEMBERSHIPS) == 0) && (UserName->Length >= sizeof(WCHAR)) && (UserName->Buffer[UserName->Length/sizeof(WCHAR)-1] != L'$')) { Status = KerbDuplicateString( &TempString, UserName ); if (!NT_SUCCESS(Status)) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } DsysAssert(TempString.MaximumLength >= TempString.Length + sizeof(WCHAR)); TempString.Buffer[TempString.Length/sizeof(WCHAR)] = L'$'; TempString.Length += sizeof(WCHAR);
D_DebugLog((DEB_TRACE, "Account not found ,trying machine account %wZ\n", &TempString ));
Status = SamIGetUserLogonInformation2( GlobalAccountDomainHandle, LookupFlags, &TempString, WhichFields, ExtendedFields, &UserInfo, &LocalMembership, &LocalUserHandle );
}
}
//
// If we still can't find the account, try the altsecid using
// the supplied principal name.
//
if (((Status == STATUS_NOT_FOUND) || (Status == STATUS_NO_SUCH_USER)) && ARGUMENT_PRESENT(PrincipalName) ) { KerbErr = KerbBuildAltSecId( &AlternateName, PrincipalName, Realm, NULL // no unicode realm name
);
if (KERB_SUCCESS(KerbErr)) { D_DebugLog((DEB_TRACE,"User account not found, trying alternate id: %wZ\n",&AlternateName )); LookupFlags |= SAM_OPEN_BY_ALTERNATE_ID,
Status = SamIGetUserLogonInformation2( GlobalAccountDomainHandle, LookupFlags, &AlternateName, WhichFields, ExtendedFields, &UserInfo, &LocalMembership, &LocalUserHandle );
} }
if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN,"Could not open User %wZ: 0x%x\n", UserName, Status ));
if ((Status == STATUS_NO_SUCH_USER) || (Status == STATUS_NOT_FOUND) || (Status == STATUS_OBJECT_NAME_NOT_FOUND)) { KerbErr = KDC_ERR_C_PRINCIPAL_UNKNOWN; } else if (Status == STATUS_NO_LOGON_SERVERS) { //If there's no GC, this sam call returns STATUS_NO_LOGON_SERVERS
//and we should return this to the client. see bug 226073
FILL_EXT_ERROR(pExtendedError, Status,FILENO, __LINE__); KerbErr = KDC_ERR_SVC_UNAVAILABLE; } else if (Status != STATUS_INVALID_SERVER_STATE) { WCHAR LookupType[10]; WCHAR AccountName[MAX_PATH+1]; PUNICODE_STRING LookupName = NULL;
if (AlternateName.Buffer != NULL) { LookupName = &AlternateName; } else if (TempString.Buffer != NULL) { LookupName = &TempString; } else { LookupName = UserName; } if (LookupName->Length < MAX_PATH * sizeof(WCHAR)) { RtlCopyMemory( AccountName, LookupName->Buffer, LookupName->Length ); AccountName[LookupName->Length/sizeof(WCHAR)] = L'\0'; } else { RtlCopyMemory( AccountName, LookupName->Buffer, MAX_PATH * sizeof(WCHAR) ); AccountName[MAX_PATH] = L'\0'; }
//
// Log name collisions separately to provide
// more information
//
if (Status == STATUS_OBJECT_NAME_COLLISION) { DS_NAME_FORMAT NameFormat = DS_UNKNOWN_NAME; if ((LookupFlags & SAM_OPEN_BY_UPN) != 0) { NameFormat = DS_USER_PRINCIPAL_NAME; } else if ((LookupFlags & SAM_OPEN_BY_SPN) != 0) { NameFormat = DS_SERVICE_PRINCIPAL_NAME; }
// Potentially deadly error, pass back to caller.
FILL_EXT_ERROR(pExtendedError, Status,FILENO, __LINE__); swprintf(LookupType,L"%d",(ULONG) NameFormat);
ReportServiceEvent( EVENTLOG_ERROR_TYPE, KDCEVENT_NAME_NOT_UNIQUE, 0, NULL, 2, AccountName, LookupType );
KerbErr = KDC_ERR_PRINCIPAL_NOT_UNIQUE; } else { swprintf(LookupType,L"0x%x",LookupFlags);
ReportServiceEvent( EVENTLOG_ERROR_TYPE, KDCEVENT_SAM_CALL_FAILED, sizeof(NTSTATUS), &Status, 2, AccountName, LookupType );
KerbErr = KRB_ERR_GENERIC; } } else { // Potentially deadly error, pass back to caller.
FILL_EXT_ERROR(pExtendedError, Status,FILENO, __LINE__); KerbErr = KRB_ERR_GENERIC; } goto Cleanup; }
UserAll = &UserInfo->I1;
KerbErr = KdcGetUserKeys( LocalUserHandle, UserInfo, &TicketInfo->Passwords, &TicketInfo->OldPasswords, pExtendedError );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to get user keys: 0x%x\n",KerbErr)); goto Cleanup; }
if (!NT_SUCCESS(KerbDuplicateString( &TicketInfo->AccountName, &UserAll->UserName ))) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
if ((UserAll->UserAccountControl & USER_TRUSTED_FOR_DELEGATION) != 0) { TicketInfo->fTicketOpts |= AUTH_REQ_OK_AS_DELEGATE; }
//
// TBD: S4U(3)
// Check user account control flag here for s4u2self restrictions
//
//
// TBD: S4UProxy (A)
// Add forwardable flag when you find T2A4D flag (trusted to authenticate
// for delegation).
//
if ((UserAll->UserAccountControl & USER_NOT_DELEGATED) == 0) { TicketInfo->fTicketOpts |= AUTH_REQ_ALLOW_FORWARDABLE | AUTH_REQ_ALLOW_PROXIABLE; }
TicketInfo->fTicketOpts |= AUTH_REQ_ALLOW_POSTDATE | AUTH_REQ_ALLOW_RENEWABLE | AUTH_REQ_ALLOW_NOADDRESS | AUTH_REQ_ALLOW_ENC_TKT_IN_SKEY | AUTH_REQ_ALLOW_VALIDATE; //
// These flags aren't turned on by default:
// AUTH_REQ_VALIDATE_CLIENT
//
//
// Mask with the domain policy flags
//
TicketInfo->fTicketOpts &= SecData.KdcFlags();
TicketInfo->PasswordExpires = UserAll->PasswordMustChange;
TicketInfo->UserAccountControl = UserAll->UserAccountControl; TicketInfo->UserId = UserAll->UserId;
if (ARGUMENT_PRESENT(RetUserInfo)) { *RetUserInfo = UserInfo; UserInfo = NULL; } if (ARGUMENT_PRESENT(GroupMembership)) { *GroupMembership = LocalMembership; RtlZeroMemory( &LocalMembership, sizeof(SID_AND_ATTRIBUTES_LIST) ); }
if (ARGUMENT_PRESENT(UserHandle)) { *UserHandle = LocalUserHandle; LocalUserHandle = NULL; }
Cleanup:
KerbFreeString( &TempString ); KerbFreeString( &AlternateName );
SamIFree_UserInternal6Information( UserInfo );
if (LocalUserHandle != NULL) { SamrCloseHandle(&LocalUserHandle); }
SamIFreeSidAndAttributesList( &LocalMembership );
return KerbErr;}
//+---------------------------------------------------------------------------
//
// Function: FreeTicketInfo
//
// Synopsis: Frees a KDC_TICKET_INFO structure
//
// Effects:
//
// Arguments:
//
// Returns:
//
// Algorithm:
//
// History: 22-Mar-95 SuChang Created
//
// Notes:
//
//----------------------------------------------------------------------------
VOIDFreeTicketInfo( IN PKDC_TICKET_INFO TicketInfo ){ TRACE(KDC, FreeTicketInfo, DEB_FUNCTION);
if (ARGUMENT_PRESENT(TicketInfo)) { KerbFreeString( &TicketInfo->AccountName ); KerbFreeString( &TicketInfo->TrustedForest );
if (TicketInfo->Passwords != NULL) { MIDL_user_free(TicketInfo->Passwords); TicketInfo->Passwords = NULL; } if (TicketInfo->OldPasswords != NULL) { MIDL_user_free(TicketInfo->OldPasswords); TicketInfo->OldPasswords = NULL; } if (TicketInfo->TrustSid != NULL) { MIDL_user_free(TicketInfo->TrustSid); TicketInfo->TrustSid = NULL; } }}
//--------------------------------------------------------------------
//
// Name: BuildReply
//
// Synopsis: Extracts reply information from an internal ticket
//
// Arguments: pkitTicket - (in) ticket data comes from
// dwNonce - (in) goes into the reply
// pkrReply - (out) reply that is built
//
// Notes: BUG 456265: Need to set tsKeyExpiry properly.
// See 3.1.3, 3.3.3 of the Kerberos V5 R5.2 spec
// tsKeyExpiry is zero for GetTGSTicket, and the
// expiry time of the client's key for GetASTicket.
//
//--------------------------------------------------------------------
KERBERRBuildReply( IN OPTIONAL PKDC_TICKET_INFO ClientInfo, IN ULONG Nonce, IN PKERB_PRINCIPAL_NAME ServerName, IN KERB_REALM ServerRealm, IN PKERB_HOST_ADDRESSES HostAddresses, IN PKERB_TICKET Ticket, OUT PKERB_ENCRYPTED_KDC_REPLY ReplyMessage ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_ENCRYPTED_TICKET EncryptedTicket = (PKERB_ENCRYPTED_TICKET) Ticket->encrypted_part.cipher_text.value; KERB_ENCRYPTED_KDC_REPLY ReplyBody; LARGE_INTEGER CurrentTime;
TRACE(KDC, BuildReply, DEB_FUNCTION);
RtlZeroMemory( &ReplyBody, sizeof(KERB_ENCRYPTED_KDC_REPLY) );
//
// Use the same flags field
//
ReplyBody.flags = ReplyMessage->flags;
ReplyBody.session_key = EncryptedTicket->key;
ReplyBody.last_request = (PKERB_LAST_REQUEST) MIDL_user_allocate(sizeof(KERB_LAST_REQUEST)); if (ReplyBody.last_request == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } RtlZeroMemory( ReplyBody.last_request, sizeof(KERB_LAST_REQUEST) );
ReplyBody.last_request->next = NULL; ReplyBody.last_request->value.last_request_type = 0; GetSystemTimeAsFileTime((PFILETIME)&CurrentTime);
KerbConvertLargeIntToGeneralizedTime( &ReplyBody.last_request->value.last_request_value, NULL, // no usec
&CurrentTime );
ReplyBody.nonce = Nonce;
DsysAssert((ReplyBody.flags.length == EncryptedTicket->flags.length) && (ReplyBody.flags.length== 8 * sizeof(ULONG)));
//
// Assign the flags over
//
*((PULONG)ReplyBody.flags.value) = *((PULONG)EncryptedTicket->flags.value);
if (ARGUMENT_PRESENT(ClientInfo)) {
KerbConvertLargeIntToGeneralizedTime( &ReplyBody.key_expiration, NULL, &ClientInfo->PasswordExpires ); ReplyBody.bit_mask |= key_expiration_present; }
//
// Fill in the times
//
ReplyBody.authtime = EncryptedTicket->authtime; ReplyBody.endtime = EncryptedTicket->endtime;
if (EncryptedTicket->bit_mask & KERB_ENCRYPTED_TICKET_starttime_present) { ReplyBody.KERB_ENCRYPTED_KDC_REPLY_starttime = EncryptedTicket->KERB_ENCRYPTED_TICKET_starttime; ReplyBody.bit_mask |= KERB_ENCRYPTED_KDC_REPLY_starttime_present;
}
if (EncryptedTicket->bit_mask & KERB_ENCRYPTED_TICKET_renew_until_present) { ReplyBody.KERB_ENCRYPTED_KDC_REPLY_renew_until = EncryptedTicket->KERB_ENCRYPTED_TICKET_renew_until; ReplyBody.bit_mask |= KERB_ENCRYPTED_KDC_REPLY_renew_until_present; }
ReplyBody.server_realm = ServerRealm;
ReplyBody.server_name = *ServerName;
//
// Fill in the host addresses
//
if (HostAddresses != NULL) { ReplyBody.KERB_ENCRYPTED_KDC_REPLY_client_addresses = HostAddresses; ReplyBody.bit_mask |= KERB_ENCRYPTED_KDC_REPLY_client_addresses_present; }
*ReplyMessage = ReplyBody;Cleanup:
if (!KERB_SUCCESS(KerbErr)) { if (ReplyBody.last_request != NULL) { MIDL_user_free(ReplyBody.last_request); ReplyBody.last_request = NULL; }
}
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KdcBuildSupplementalCredentials
//
// Synopsis: Builds a list of the supplemental credentials and then
// encrypts it with the supplied key
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcBuildSupplementalCredentials( IN PUSER_INTERNAL6_INFORMATION UserInfo, IN PKERB_ENCRYPTION_KEY CredentialKey, OUT PPAC_INFO_BUFFER * EncryptedCreds ){ NTSTATUS Status; KERBERR KerbErr = KDC_ERR_NONE; PBYTE Credentials = NULL; ULONG CredentialSize = 0; KERB_ENCRYPTED_DATA EncryptedData = {0}; PPAC_CREDENTIAL_INFO CredInfo = NULL; ULONG EncryptionOverhead; ULONG BlockSize; PPAC_INFO_BUFFER ReturnCreds = NULL; ULONG ReturnCredSize;
Status = PAC_BuildCredentials( (PSAMPR_USER_ALL_INFORMATION)&UserInfo->I1, &Credentials, &CredentialSize );
if (!NT_SUCCESS(Status)) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
KerbErr = KerbAllocateEncryptionBufferWrapper( CredentialKey->keytype, CredentialSize, &EncryptedData.cipher_text.length, &EncryptedData.cipher_text.value );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbEncryptDataEx( &EncryptedData, CredentialSize, Credentials, CredentialKey->keytype, KERB_NON_KERB_SALT, CredentialKey );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Compute the size of the blob returned
//
ReturnCredSize = sizeof(PAC_INFO_BUFFER) + FIELD_OFFSET(PAC_CREDENTIAL_INFO, Data) + EncryptedData.cipher_text.length ;
ReturnCreds = (PPAC_INFO_BUFFER) MIDL_user_allocate(ReturnCredSize); if (ReturnCreds == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } //
// Fill in the outer structure
//
ReturnCreds->ulType = PAC_CREDENTIAL_TYPE; ReturnCreds->cbBufferSize = ReturnCredSize - sizeof(PAC_INFO_BUFFER); ReturnCreds->Data = (PBYTE) (ReturnCreds + 1); CredInfo = (PPAC_CREDENTIAL_INFO) ReturnCreds->Data;
//
// Fill in the inner structure
//
CredInfo->EncryptionType = EncryptedData.encryption_type; if (EncryptedData.bit_mask & version_present) { CredInfo->Version = EncryptedData.version; } else { CredInfo->Version = 0; }
RtlCopyMemory( CredInfo->Data, EncryptedData.cipher_text.value, EncryptedData.cipher_text.length );
*EncryptedCreds = ReturnCreds; ReturnCreds = NULL;Cleanup: if (Credentials != NULL) { MIDL_user_free(Credentials); } if (ReturnCreds != NULL) { MIDL_user_free(ReturnCreds); } if (EncryptedData.cipher_text.value != NULL) { MIDL_user_free(EncryptedData.cipher_text.value); } return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KdcBuildPacVerifier
//
// Synopsis: Builds a verifier for the PAC. This structure ties the
// PAC to the ticket by including the client name and
// ticket authime in the PAC.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcBuildPacVerifier( IN PTimeStamp ClientId, IN PUNICODE_STRING ClientName, OUT PPAC_INFO_BUFFER * Verifier ){ ULONG ReturnVerifierSize = 0; PPAC_CLIENT_INFO ClientInfo = NULL; PPAC_INFO_BUFFER ReturnVerifier = NULL;
//
// Compute the size of the blob returned
//
ReturnVerifierSize = sizeof(PAC_INFO_BUFFER) + sizeof(PAC_CLIENT_INFO) + ClientName->Length - sizeof(WCHAR) * ANYSIZE_ARRAY;
ReturnVerifier = (PPAC_INFO_BUFFER) MIDL_user_allocate(ReturnVerifierSize); if (ReturnVerifier == NULL) { return(KRB_ERR_GENERIC); } //
// Fill in the outer structure
//
ReturnVerifier->ulType = PAC_CLIENT_INFO_TYPE; ReturnVerifier->cbBufferSize = ReturnVerifierSize - sizeof(PAC_INFO_BUFFER); ReturnVerifier->Data = (PBYTE) (ReturnVerifier + 1); ClientInfo = (PPAC_CLIENT_INFO) ReturnVerifier->Data; ClientInfo->ClientId = *ClientId; ClientInfo->NameLength = ClientName->Length; RtlCopyMemory( ClientInfo->Name, ClientName->Buffer, ClientName->Length ); *Verifier = ReturnVerifier;
return(KDC_ERR_NONE);}
//+---------------------------------------------------------------------------
//
// Name: GetPacAndSuppCred
//
// Synopsis:
//
// Arguments:
//
// Notes: ppPac is allocated using CoTaskMemAlloc and
// ppadlSuppCreds is allocated using operator 'new'.
//
//+---------------------------------------------------------------------------
KERBERRGetPacAndSuppCred( IN PUSER_INTERNAL6_INFORMATION UserInfo, IN PSID_AND_ATTRIBUTES_LIST GroupMembership, IN ULONG SignatureSize, IN OPTIONAL PKERB_ENCRYPTION_KEY CredentialKey, IN OPTIONAL PTimeStamp ClientId, IN OPTIONAL PUNICODE_STRING ClientName, OUT PPACTYPE * Pac, OUT PKERB_EXT_ERROR pExtendedError ){ KERBERR KerbErr = KDC_ERR_NONE; NTSTATUS Status; PPACTYPE NewPac = NULL; PPAC_INFO_BUFFER Credentials[2]; ULONG AdditionalDataCount = 0;
TRACE(KDC, GetPACandSuppCred, DEB_FUNCTION);
RtlZeroMemory( Credentials, sizeof(Credentials) );
*Pac = NULL;
if (ARGUMENT_PRESENT(CredentialKey) && (CredentialKey->keyvalue.value != NULL) ) { KerbErr = KdcBuildSupplementalCredentials( UserInfo, CredentialKey, &Credentials[AdditionalDataCount] ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
AdditionalDataCount++; }
if (ARGUMENT_PRESENT(ClientId)) { KerbErr = KdcBuildPacVerifier( ClientId, ClientName, &Credentials[AdditionalDataCount] ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
AdditionalDataCount++; }
//
// NOTE: this is o.k. because we don't lock the secdata while acecssing
// the machine name
//
Status = PAC_Init( (PSAMPR_USER_ALL_INFORMATION)&UserInfo->I1, NULL, GroupMembership, GlobalDomainSid, &GlobalDomainName, SecData.MachineName(), SignatureSize, AdditionalDataCount, Credentials, &NewPac );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to init pac: 0x%x\n",Status)); FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__); KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
*Pac = NewPac; NewPac = NULL;
Cleanup:
while (AdditionalDataCount > 0) { if (Credentials[--AdditionalDataCount] != NULL) { MIDL_user_free(Credentials[AdditionalDataCount]); } }
if (NewPac != NULL) { MIDL_user_free(NewPac); }
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KdcFreeInternalTicket
//
// Synopsis: frees a constructed ticket
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKdcFreeInternalTicket( IN PKERB_TICKET Ticket ){ PKERB_ENCRYPTED_TICKET EncryptedTicket = (PKERB_ENCRYPTED_TICKET) Ticket->encrypted_part.cipher_text.value;
TRACE(KDC, KdcFreeInternalTicket, DEB_FUNCTION);
if (EncryptedTicket != NULL) { KerbFreeKey( &EncryptedTicket->key ); KerbFreePrincipalName(&EncryptedTicket->client_name); if (EncryptedTicket->KERB_ENCRYPTED_TICKET_authorization_data != NULL) { KerbFreeAuthData(EncryptedTicket->KERB_ENCRYPTED_TICKET_authorization_data); } if (EncryptedTicket->transited.contents.value != NULL) { MIDL_user_free(EncryptedTicket->transited.contents.value); } }
KerbFreePrincipalName( &Ticket->server_name );}
//+-------------------------------------------------------------------------
//
// Function: KdcFreeKdcReply
//
// Synopsis: frees a kdc reply
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKdcFreeKdcReply( IN PKERB_KDC_REPLY Reply ){ TRACE(KDC, KdcFreeKdcReply, DEB_FUNCTION);
KerbFreePrincipalName(&Reply->ticket.server_name);
if (Reply->ticket.encrypted_part.cipher_text.value != NULL) { MIDL_user_free(Reply->ticket.encrypted_part.cipher_text.value); }
if (Reply->encrypted_part.cipher_text.value != NULL) { MIDL_user_free(Reply->encrypted_part.cipher_text.value); } if (Reply->KERB_KDC_REPLY_preauth_data != NULL) { KerbFreePreAuthData((PKERB_PA_DATA_LIST) Reply->KERB_KDC_REPLY_preauth_data); }
}
//+-------------------------------------------------------------------------
//
// Function: KdcFreeKdcReplyBody
//
// Synopsis: frees a constructed KDC reply body
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKdcFreeKdcReplyBody( IN PKERB_ENCRYPTED_KDC_REPLY ReplyBody ){
TRACE(KDC, KdcFreeKdcReplyBody, DEB_FUNCTION);
//
// The names & the session key are just pointers into the ticket,
// so they don't need to be freed.
//
if (ReplyBody->last_request != NULL) { MIDL_user_free(ReplyBody->last_request); ReplyBody->last_request = NULL; } ReplyBody->KERB_ENCRYPTED_KDC_REPLY_client_addresses = NULL;
}
//+-------------------------------------------------------------------------
//
// Function: KdcVerifyClientAddress
//
// Synopsis: Verifies that the client address is an allowed sender of
// the KDC request.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcVerifyClientAddress( IN SOCKADDR * ClientAddress, IN PKERB_HOST_ADDRESSES Addresses ){ PKERB_HOST_ADDRESSES TempAddress = Addresses;
//
// ISSUE-2001/03/05-markpu
// This routine is wholly inadequate in that it only deals with IPv4
// addresses. Address matching has to be more elaborate than that
//
while (TempAddress != NULL) { if ( TempAddress->value.address_type == KERB_ADDRTYPE_INET && ClientAddress->sa_family == AF_INET ) { struct sockaddr_in * InetAddress = (struct sockaddr_in *) ClientAddress;
//
// Check that the addresses match
//
if (TempAddress->value.address.length == sizeof(ULONG)) { if (RtlEqualMemory( TempAddress->value.address.value, &InetAddress->sin_addr.S_un.S_addr, sizeof(ULONG) )) { return(KDC_ERR_NONE); } }
}
TempAddress = TempAddress->next; }
D_DebugLog((DEB_WARN,"Client address not in address list\n"));
//
// Need to return KRB_AP_ERR_BADADDR but a couple of things must
// be fixed first (client code notified of changes to the machine's IP
// address, copying addresses from the TGT into the TGS request)
//
return(KDC_ERR_NONE);}
//+-------------------------------------------------------------------------
//
// Function: KdcVerifyTgsChecksum
//
// Synopsis: Verify the checksum on a TGS request
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcVerifyTgsChecksum( IN PKERB_KDC_REQUEST_BODY RequestBody, IN PKERB_ENCRYPTION_KEY Key, IN PKERB_CHECKSUM OldChecksum ){ PCHECKSUM_FUNCTION ChecksumFunction; PCHECKSUM_BUFFER CheckBuffer = NULL; KERB_MESSAGE_BUFFER MarshalledRequestBody = {0, NULL}; NTSTATUS Status; KERBERR KerbErr = KDC_ERR_NONE; KERB_CHECKSUM Checksum = {0};
Status = CDLocateCheckSum( OldChecksum->checksum_type, &ChecksumFunction ); if (!NT_SUCCESS(Status)) { KerbErr = KDC_ERR_SUMTYPE_NOSUPP; goto Cleanup; }
//
// Allocate enough space for the checksum
//
Checksum.checksum.value = (PUCHAR) MIDL_user_allocate(ChecksumFunction->CheckSumSize); if (Checksum.checksum.value == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } Checksum.checksum.length = ChecksumFunction->CheckSumSize;
//
// Initialize the checksum
//
if ((OldChecksum->checksum_type == KERB_CHECKSUM_REAL_CRC32) || (OldChecksum->checksum_type == KERB_CHECKSUM_CRC32)) { if (ChecksumFunction->Initialize) { Status = ChecksumFunction->Initialize( 0, &CheckBuffer ); } else {
KerbErr = KRB_ERR_GENERIC; } } else { if (NULL != ChecksumFunction->InitializeEx2) { Status = ChecksumFunction->InitializeEx2( Key->keyvalue.value, (ULONG) Key->keyvalue.length, OldChecksum->checksum.value, KERB_TGS_REQ_AP_REQ_AUTH_CKSUM_SALT, &CheckBuffer ); } else if (ChecksumFunction->InitializeEx) { Status = ChecksumFunction->InitializeEx( Key->keyvalue.value, (ULONG) Key->keyvalue.length, KERB_TGS_REQ_AP_REQ_AUTH_CKSUM_SALT, &CheckBuffer ); } else { KerbErr = KRB_ERR_GENERIC; } }
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbPackData( RequestBody, KERB_MARSHALLED_REQUEST_BODY_PDU, &MarshalledRequestBody.BufferSize, &MarshalledRequestBody.Buffer );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Now checksum the buffer
//
ChecksumFunction->Sum( CheckBuffer, MarshalledRequestBody.BufferSize, MarshalledRequestBody.Buffer );
ChecksumFunction->Finalize( CheckBuffer, Checksum.checksum.value );
//
// Now compare
//
if ((OldChecksum->checksum.length != Checksum.checksum.length) || !RtlEqualMemory( OldChecksum->checksum.value, Checksum.checksum.value, Checksum.checksum.length )) { DebugLog((DEB_ERROR,"Checksum on TGS request body did not match\n")); KerbErr = KRB_AP_ERR_MODIFIED; goto Cleanup; }
Cleanup: if (CheckBuffer != NULL) { ChecksumFunction->Finish(&CheckBuffer); } if (MarshalledRequestBody.Buffer != NULL) { MIDL_user_free(MarshalledRequestBody.Buffer); } if (Checksum.checksum.value != NULL) { MIDL_user_free(Checksum.checksum.value); } return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KdcVerifyKdcRequest
//
// Synopsis: Verifies that the AP request accompanying a TGS or PAC request
// is valid.
//
// Effects:
//
// Arguments: ApRequest - The AP request to verify
// UnmarshalledRequest - The unmarshalled request,
// returned to avoid needing to
// EncryptedTicket - Receives the ticket granting ticket
// SessionKey - receives the key to use in the reply
//
// Requires:
//
// Returns: kerberos errors
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKdcVerifyKdcRequest( IN PUCHAR RequestMessage, IN ULONG RequestSize, IN OPTIONAL SOCKADDR * ClientAddress, IN BOOLEAN IsKdcRequest, OUT OPTIONAL PKERB_AP_REQUEST * UnmarshalledRequest, OUT OPTIONAL PKERB_AUTHENTICATOR * UnmarshalledAuthenticator, OUT PKERB_ENCRYPTED_TICKET *EncryptedTicket, OUT PKERB_ENCRYPTION_KEY SessionKey, OUT OPTIONAL PKERB_ENCRYPTION_KEY ServerKey, OUT PKDC_TICKET_INFO ServerTicketInfo, OUT PBOOLEAN UseSubKey, OUT PKERB_EXT_ERROR pExtendedError ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_AP_REQUEST Request = NULL; PKERB_ENCRYPTED_TICKET EncryptPart = NULL; PKERB_AUTHENTICATOR Authenticator = NULL; PKERB_INTERNAL_NAME ServerName = NULL; UNICODE_STRING LocalServerName = {0}; UNICODE_STRING LocalServerRealm = {0}; UNICODE_STRING LocalServerPrincipal = {0}; UNICODE_STRING ServerRealm; PKERB_ENCRYPTION_KEY KeyToUse; BOOLEAN Referral = FALSE; BOOLEAN Retry = TRUE;
TRACE(KDC, KdcVerifyKdcRequest, DEB_FUNCTION);
ServerRealm.Buffer = NULL;
//
// First unpack the KDC request.
//
KerbErr = KerbUnpackApRequest( RequestMessage, RequestSize, &Request ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to unpack KDC request: 0x%x\n",KerbErr)); KerbErr = KDC_ERR_NO_RESPONSE; goto Cleanup; }
KerbErr = KerbConvertPrincipalNameToKdcName( &ServerName, &Request->ticket.server_name ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbConvertRealmToUnicodeString( &ServerRealm, &Request->ticket.realm );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup;
}
//
// Get ticket info for the server
//
KerbErr = KdcNormalize( ServerName, &ServerRealm, &ServerRealm, KDC_NAME_SERVER | KDC_NAME_INBOUND, &Referral, &LocalServerRealm, ServerTicketInfo, pExtendedError, NULL, // no user handle
0L, // no fields to fetch
0L, // no extended fields
NULL, // no user all
NULL // no group membership
); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN, "Trying to get TGS ticket to service in another realm: ")); KerbPrintKdcName(DEB_WARN, ServerName); goto Cleanup; }
//
// Now Check the ticket
//
Retry:
KeyToUse = KerbGetKeyFromList( ServerTicketInfo->Passwords, Request->ticket.encrypted_part.encryption_type );
if (KeyToUse == NULL) { DebugLog((DEB_ERROR,"Server does not have proper key to decrypt ticket: 0x%x\n", Request->ticket.encrypted_part.encryption_type ));
//
// If this is our second attempt, do not overwrite the error code we had
//
if (KERB_SUCCESS(KerbErr)) { KerbErr = KDC_ERR_ETYPE_NOTSUPP; }
goto Cleanup; }
//
// We don't need to supply a service name or service because we've looked up
// the account locally.
//
KerbErr = KerbCheckTicket( &Request->ticket, &Request->authenticator, KeyToUse, Authenticators, &SkewTime, 0, // zero service names
NULL, // any service
NULL, FALSE, // don't check for replay
IsKdcRequest, &EncryptPart, &Authenticator, NULL, SessionKey, UseSubKey );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to check ticket : 0x%x for",KerbErr)); KerbPrintKdcName(DEB_ERROR,ServerName );
//
// If an old password is available, give it a try. We remove the
// current password & put the old password in here.
//
if (ServerTicketInfo->OldPasswords && (KerbErr == KRB_AP_ERR_MODIFIED)) { MIDL_user_free(ServerTicketInfo->Passwords); ServerTicketInfo->Passwords = ServerTicketInfo->OldPasswords; ServerTicketInfo->OldPasswords = NULL; goto Retry; }
//
// Here's the case where we're trying to use an expired TGT. Have
// the client retry using a new TGT
//
if (KerbErr == KRB_AP_ERR_TKT_EXPIRED) { FILL_EXT_ERROR_EX(pExtendedError, STATUS_TIME_DIFFERENCE_AT_DC, FILENO, __LINE__); }
goto Cleanup; }
//
// Verify the address from the ticket
//
if ((EncryptPart->bit_mask & KERB_ENCRYPTED_TICKET_client_addresses_present) && ARGUMENT_PRESENT(ClientAddress))
{ ULONG TicketFlags = KerbConvertFlagsToUlong(&EncryptPart->flags);
//
// Only check initial tickets
//
if ((TicketFlags & (KERB_TICKET_FLAGS_forwarded | KERB_TICKET_FLAGS_proxy)) == 0) { KerbErr = KdcVerifyClientAddress( ClientAddress, EncryptPart->KERB_ENCRYPTED_TICKET_client_addresses ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Client sent request with wrong address\n")); goto Cleanup; } } }
//
// Verify that if the server is a trusted domain account, that it is an
// acceptable ticket (transitively). Verify that for non transitive
// trust the client realm is the same as the requesting ticket realm
//
if (((ServerTicketInfo->fTicketOpts & AUTH_REQ_TRANSITIVE_TRUST) == 0) && (ServerTicketInfo->UserId != DOMAIN_USER_RID_KRBTGT)) { if (!KerbCompareRealmNames( &EncryptPart->client_realm, &Request->ticket.realm )) { DebugLog((DEB_WARN,"Client from realm %s attempted to access non transitve trust via %s : illegal\n", &EncryptPart->client_realm, &Request->ticket.realm ));
KerbErr = KDC_ERR_PATH_NOT_ACCEPTED; goto Cleanup; } }
//
// If the caller wanted the server key, return it here.
//
if (ServerKey != NULL) { KerbErr = KerbDuplicateKey( ServerKey, KeyToUse ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } }
*EncryptedTicket = EncryptPart; EncryptPart = NULL; if (ARGUMENT_PRESENT(UnmarshalledRequest)) { *UnmarshalledRequest = Request; Request = NULL; } if (ARGUMENT_PRESENT(UnmarshalledAuthenticator)) { *UnmarshalledAuthenticator = Authenticator; Authenticator = NULL; }
Cleanup: KerbFreeApRequest(Request); KerbFreeString(&LocalServerRealm); KerbFreeKdcName(&ServerName); KerbFreeString(&ServerRealm); KerbFreeAuthenticator(Authenticator); KerbFreeTicket(EncryptPart);
return(KerbErr);}
#if DBG
voidPrintRequest( ULONG ulDebLevel, PKERB_KDC_REQUEST_BODY Request ){ TRACE(KDC, PrintRequest, DEB_FUNCTION);}
voidPrintTicket( ULONG ulDebLevel, char * pszMessage, PKERB_TICKET pkitTicket){ TRACE(KDC, PrintTicket, DEB_FUNCTION);}
#endif // DBG
|
