summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-11-09 21:38:49 +1100
committerAndrew Tridgell <tridge@samba.org>2009-11-09 21:38:49 +1100
commit2b858c69391b2d64f19291eb349cb5ba9e48045b (patch)
treec9e8c3023b64bacf8d89fa2e8cee89ddcd62a318
parentbb283af16fe3858310d762cb5998909ae3b810de (diff)
downloadsamba-2b858c69391b2d64f19291eb349cb5ba9e48045b.tar.gz
samba-2b858c69391b2d64f19291eb349cb5ba9e48045b.tar.bz2
samba-2b858c69391b2d64f19291eb349cb5ba9e48045b.zip
s4-hdb: go back to a separate samdb for the KDC
The change to use a common system_session broke replication as the KDC forces CRED_DONT_USE_KERBEROS on session->credentials, which is shared with other parts of the system. This should be fixed once we confirm whether the ldap backend actually relies on CRED_DONT_USE_KERBEROS
-rw-r--r--source4/kdc/hdb-samba4.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 12f354409e..2418e5c63f 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1585,6 +1585,8 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
krb5_context context, struct HDB **db)
{
struct auth_session_info *session_info;
+ NTSTATUS nt_status;
+
*db = talloc(mem_ctx, HDB);
if (!*db) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
@@ -1595,17 +1597,30 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
(*db)->hdb_db = NULL;
(*db)->hdb_capability_flags = 0;
+#if 1
+ /* we would prefer to use system_session(), as that would
+ * allow us to share the samdb backend context with other parts of the
+ * system. For now we can't as we need to override the
+ * credentials to set CRED_DONT_USE_KERBEROS, which would
+ * break other users of the system_session */
+ DEBUG(0,("FIXME: Using new system session for hdb\n"));
+ nt_status = auth_system_session_info(*db, lp_ctx, &session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+#else
session_info = system_session(lp_ctx);
if (session_info == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
+#endif
/* The idea here is very simple. Using Kerberos to
* authenticate the KDC to the LDAP server is higly likely to
* be circular.
*
* In future we may set this up to use EXERNAL and SSL
- * certificates, for now it will almost certainly be NTLMSSP
+ * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME
*/
cli_credentials_set_kerberos_state(session_info->credentials,