diff options
author | Andrew Tridgell <tridge@samba.org> | 2009-11-09 21:38:49 +1100 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2009-11-09 21:38:49 +1100 |
commit | 2b858c69391b2d64f19291eb349cb5ba9e48045b (patch) | |
tree | c9e8c3023b64bacf8d89fa2e8cee89ddcd62a318 | |
parent | bb283af16fe3858310d762cb5998909ae3b810de (diff) | |
download | samba-2b858c69391b2d64f19291eb349cb5ba9e48045b.tar.gz samba-2b858c69391b2d64f19291eb349cb5ba9e48045b.tar.bz2 samba-2b858c69391b2d64f19291eb349cb5ba9e48045b.zip |
s4-hdb: go back to a separate samdb for the KDC
The change to use a common system_session broke replication as the KDC
forces CRED_DONT_USE_KERBEROS on session->credentials, which is shared
with other parts of the system.
This should be fixed once we confirm whether the ldap backend actually
relies on CRED_DONT_USE_KERBEROS
-rw-r--r-- | source4/kdc/hdb-samba4.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 12f354409e..2418e5c63f 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -1585,6 +1585,8 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, krb5_context context, struct HDB **db) { struct auth_session_info *session_info; + NTSTATUS nt_status; + *db = talloc(mem_ctx, HDB); if (!*db) { krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); @@ -1595,17 +1597,30 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, (*db)->hdb_db = NULL; (*db)->hdb_capability_flags = 0; +#if 1 + /* we would prefer to use system_session(), as that would + * allow us to share the samdb backend context with other parts of the + * system. For now we can't as we need to override the + * credentials to set CRED_DONT_USE_KERBEROS, which would + * break other users of the system_session */ + DEBUG(0,("FIXME: Using new system session for hdb\n")); + nt_status = auth_system_session_info(*db, lp_ctx, &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } +#else session_info = system_session(lp_ctx); if (session_info == NULL) { return NT_STATUS_INTERNAL_ERROR; } +#endif /* The idea here is very simple. Using Kerberos to * authenticate the KDC to the LDAP server is higly likely to * be circular. * * In future we may set this up to use EXERNAL and SSL - * certificates, for now it will almost certainly be NTLMSSP + * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME */ cli_credentials_set_kerberos_state(session_info->credentials, |