Print this page
NEX-18907 File Access Auditing does not work with SMB Kerberos authentication
Review by: Gordon Ross <gordon.ross@nexenta.com>
Review by: Evan Layton <evan.layton@nexenta.com>
NEX-3080 SMB1 signing problem with Kerberos auth.
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Dan Fields <dan.fields@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-1810 extended security Kerberos (inbound)
SMB-56 extended security NTLMSSP, inbound
*** 8,18 ****
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
! * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* SPNEGO back-end for Kerberos. See [MS-KILE]
*/
--- 8,18 ----
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
! * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
*/
/*
* SPNEGO back-end for Kerberos. See [MS-KILE]
*/
*** 117,126 ****
--- 117,127 ----
OM_uint32 major, minor, ret_flags;
gss_OID name_type = GSS_C_NULL_OID;
gss_OID mech_type = GSS_C_NULL_OID;
krb5_error_code kerr;
uint32_t status;
+ smb_token_t *token = NULL;
intok.length = ctx->ctx_ibodylen;
intok.value = ctx->ctx_ibodybuf;
bzero(&outtok, sizeof (gss_buffer_desc));
bzero(&namebuf, sizeof (gss_buffer_desc));
*** 131,140 ****
--- 132,144 ----
smbd_report("krb5ssp, krb5_init_ctx: %s",
krb5_get_error_message(be->be_kctx, kerr));
return (NT_STATUS_INTERNAL_ERROR);
}
+ free(be->be_username);
+ be->be_username = NULL;
+
major = gss_accept_sec_context(&minor, &be->be_gssctx,
GSS_C_NO_CREDENTIAL, &intok,
GSS_C_NO_CHANNEL_BINDINGS, &gname, &mech_type, &outtok,
&ret_flags, NULL, NULL);
*** 156,166 ****
smbd_report("krb5ssp: gss_accept_sec_context, "
"mech=0x%x, major=0x%x, minor=0x%x",
(int)mech_type, major, minor);
smbd_report(" krb5: %s",
krb5_get_error_message(be->be_kctx, minor));
! return (NT_STATUS_WRONG_PASSWORD);
}
switch (major) {
case GSS_S_COMPLETE:
break;
--- 160,171 ----
smbd_report("krb5ssp: gss_accept_sec_context, "
"mech=0x%x, major=0x%x, minor=0x%x",
(int)mech_type, major, minor);
smbd_report(" krb5: %s",
krb5_get_error_message(be->be_kctx, minor));
! status = NT_STATUS_WRONG_PASSWORD;
! goto out;
}
switch (major) {
case GSS_S_COMPLETE:
break;
*** 168,180 ****
if (outtok.length > 0) {
ctx->ctx_orawtype = LSA_MTYPE_ES_CONT;
/* becomes NT_STATUS_MORE_PROCESSING_REQUIRED */
return (0);
}
! return (NT_STATUS_WRONG_PASSWORD);
default:
! return (NT_STATUS_WRONG_PASSWORD);
}
/*
* OK, we got GSS_S_COMPLETE. Get the name so we can use it
* in log messages if we get failures decoding the PAC etc.
--- 173,187 ----
if (outtok.length > 0) {
ctx->ctx_orawtype = LSA_MTYPE_ES_CONT;
/* becomes NT_STATUS_MORE_PROCESSING_REQUIRED */
return (0);
}
! status = NT_STATUS_WRONG_PASSWORD;
! goto out;
default:
! status = NT_STATUS_WRONG_PASSWORD;
! goto out;
}
/*
* OK, we got GSS_S_COMPLETE. Get the name so we can use it
* in log messages if we get failures decoding the PAC etc.
*** 196,243 ****
* Extract the KRB5_AUTHDATA_WIN2K_PAC data.
*/
status = get_authz_data_pac(be->be_gssctx,
&be->be_authz_pac);
if (status)
! return (status);
kerr = krb5_pac_parse(be->be_kctx, be->be_authz_pac.value,
be->be_authz_pac.length, &be->be_kpac);
if (kerr) {
smbd_report("krb5ssp, krb5_pac_parse: %s",
krb5_get_error_message(be->be_kctx, kerr));
! return (NT_STATUS_UNSUCCESSFUL);
}
kerr = krb5_pac_get_buffer(be->be_kctx, be->be_kpac,
PAC_LOGON_INFO, &be->be_pac);
if (kerr) {
smbd_report("krb5ssp, krb5_pac_get_buffer: %s",
krb5_get_error_message(be->be_kctx, kerr));
! return (NT_STATUS_UNSUCCESSFUL);
}
ctx->ctx_token = calloc(1, sizeof (smb_token_t));
! if (ctx->ctx_token == NULL)
! return (NT_STATUS_NO_MEMORY);
!
status = smb_decode_krb5_pac(ctx->ctx_token, be->be_pac.data,
be->be_pac.length);
if (status)
! return (status);
status = get_ssnkey(ctx);
if (status)
! return (status);
! if (!smb_token_setup_common(ctx->ctx_token))
! return (NT_STATUS_UNSUCCESSFUL);
/* Success! */
ctx->ctx_orawtype = LSA_MTYPE_ES_DONE;
! return (0);
}
/*
* See: GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID
* and: KRB5_AUTHDATA_WIN2K_PAC
--- 203,267 ----
* Extract the KRB5_AUTHDATA_WIN2K_PAC data.
*/
status = get_authz_data_pac(be->be_gssctx,
&be->be_authz_pac);
if (status)
! goto out;
kerr = krb5_pac_parse(be->be_kctx, be->be_authz_pac.value,
be->be_authz_pac.length, &be->be_kpac);
if (kerr) {
smbd_report("krb5ssp, krb5_pac_parse: %s",
krb5_get_error_message(be->be_kctx, kerr));
! status = NT_STATUS_UNSUCCESSFUL;
! goto out;
}
kerr = krb5_pac_get_buffer(be->be_kctx, be->be_kpac,
PAC_LOGON_INFO, &be->be_pac);
if (kerr) {
smbd_report("krb5ssp, krb5_pac_get_buffer: %s",
krb5_get_error_message(be->be_kctx, kerr));
! status = NT_STATUS_UNSUCCESSFUL;
! goto out;
}
ctx->ctx_token = calloc(1, sizeof (smb_token_t));
! if (ctx->ctx_token == NULL) {
! status = NT_STATUS_NO_MEMORY;
! goto out;
! }
status = smb_decode_krb5_pac(ctx->ctx_token, be->be_pac.data,
be->be_pac.length);
if (status)
! goto out;
status = get_ssnkey(ctx);
if (status)
! goto out;
! if (!smb_token_setup_common(ctx->ctx_token)) {
! status = NT_STATUS_UNSUCCESSFUL;
! goto out;
! }
/* Success! */
ctx->ctx_orawtype = LSA_MTYPE_ES_DONE;
! status = 0;
! token = ctx->ctx_token;
!
! /*
! * Before we return, audit successful and failed logons.
! * We only audit logons where we should have a username.
! */
! out:
! if (!smbd_logon_audit(token, &ctx->ctx_clinfo.lci_clnt_ipaddr,
! be->be_username, "") && status == 0)
! return (NT_STATUS_AUDIT_FAILED);
!
! return (status);
}
/*
* See: GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID
* and: KRB5_AUTHDATA_WIN2K_PAC