r12682: This patch finally fixes our kpasswdd implementation to be compatible

with clients compiled against the MIT Kerberos implementation.  (Which
checks for address in KRB-PRIV packets, hence my comments on socket
functions earlier today).

It also fixes the 'set password' operation to behave correctly (it was
previously a no-op).

This allows Samba3 to join Samba4.  Some winbindd operations even work,
which I think is a good step forward.  There is naturally a lot of work
to do, but I wanted at least the very basics of Samba3 domain membership
to be available for the tech preview.

Andrew Bartlett
(This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)

6 files changed, 323 insertions, 68 deletions

diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index e9a304133c..65bc5d2450 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -377,6 +377,8 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
 	(*gensec_security)->ops = NULL;
 
 	ZERO_STRUCT((*gensec_security)->target);
+	ZERO_STRUCT((*gensec_security)->peer_addr);
+	ZERO_STRUCT((*gensec_security)->my_addr);
 
 	(*gensec_security)->subcontext = False;
 	(*gensec_security)->want_features = 0;
@@ -789,7 +791,7 @@ BOOL gensec_have_feature(struct gensec_security *gensec_security,
 }
 
 /** 
- * Associate a credentails structure with a GENSEC context - talloc_reference()s it to the context 
+ * Associate a credentials structure with a GENSEC context - talloc_reference()s it to the context 
  *
  */
 
@@ -800,7 +802,7 @@ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct
 }
 
 /** 
- * Return the credentails structure associated with a GENSEC context
+ * Return the credentials structure associated with a GENSEC context
  *
  */
 
@@ -855,11 +857,72 @@ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
 		return gensec_security->target.hostname;
 	}
 
-	/* TODO: Add a 'set sockaddr' call, and do a reverse lookup */
+	/* We could add use the 'set sockaddr' call, and do a reverse
+	 * lookup, but this would be both insecure (compromising the
+	 * way kerberos works) and add DNS timeouts */
 	return NULL;
 }
 
 /** 
+ * Set local and peer socket addresses onto a socket context on the GENSEC context 
+ *
+ * This is so that kerberos can include these addresses in
+ * cryptographic tokens, to avoid certain attacks.
+ */
+
+NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, const char *my_addr, int port) 
+{
+	gensec_security->my_addr.addr = talloc_strdup(gensec_security, my_addr);
+	if (my_addr && !gensec_security->my_addr.addr) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	gensec_security->my_addr.port = port;
+	return NT_STATUS_OK;
+}
+
+NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, const char *peer_addr, int port) 
+{
+	gensec_security->peer_addr.addr = talloc_strdup(gensec_security, peer_addr);
+	if (peer_addr && !gensec_security->peer_addr.addr) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	gensec_security->peer_addr.port = port;
+	return NT_STATUS_OK;
+}
+
+const char *gensec_get_my_addr(struct gensec_security *gensec_security, int *port) 
+{
+	if (gensec_security->my_addr.addr) {
+		if (port) {
+			*port = gensec_security->my_addr.port;
+		}
+		return gensec_security->my_addr.addr;
+	}
+
+	/* We could add a 'set sockaddr' call, and do a lookup.  This
+	 * would avoid needing to do system calls if nothing asks. */
+	return NULL;
+}
+
+const char *gensec_get_peer_addr(struct gensec_security *gensec_security, int *port) 
+{
+	if (gensec_security->peer_addr.addr) {
+		if (port) {
+			*port = gensec_security->peer_addr.port;
+		}
+		return gensec_security->peer_addr.addr;
+	}
+
+	/* We could add a 'set sockaddr' call, and do a lookup.  This
+	 * would avoid needing to do system calls if nothing asks.
+	 * However, this is not appropriate for the peer addres on
+	 * datagram sockets */
+	return NULL;
+}
+
+
+
+/** 
  * Set the target principal (assuming it it known, say from the SPNEGO reply)
  *  - ensures it is talloc()ed 
  *
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index ae85bf8f5e..67bec3a0f5 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -31,10 +31,14 @@ struct gensec_security;
 struct gensec_target {
 	const char *principal;
 	const char *hostname;
-	const struct sock_addr *addr;
 	const char *service;
 };
 
+struct gensec_addr {
+	const char *addr;
+	int port;
+};
+
 #define GENSEC_FEATURE_SESSION_KEY	0x00000001
 #define GENSEC_FEATURE_SIGN		0x00000002
 #define GENSEC_FEATURE_SEAL		0x00000004
@@ -114,6 +118,7 @@ struct gensec_security {
 	BOOL subcontext;
 	uint32_t want_features;
 	struct event_context *event_ctx;
+	struct gensec_addr my_addr, peer_addr;
 };
 
 /* this structure is used by backends to determine the size of some critical types */
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 161690f665..478ebcfbf0 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -29,6 +29,8 @@
 #include "auth/kerberos/kerberos.h"
 #include "librpc/gen_ndr/ndr_krb5pac.h"
 #include "auth/auth.h"
+#include "system/network.h"
+#include "lib/socket/socket.h"
 
 enum GENSEC_KRB5_STATE {
 	GENSEC_KRB5_SERVER_START,
@@ -85,7 +87,10 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 	krb5_error_code ret;
 	struct gensec_krb5_state *gensec_krb5_state;
 	struct cli_credentials *creds;
-
+	const char *my_addr, *peer_addr;
+	int my_port, peer_port;
+	krb5_address my_krb5_addr, peer_krb5_addr;
+	
 	creds = gensec_get_credentials(gensec_security);
 	if (!creds) {
 		return NT_STATUS_INVALID_PARAMETER;
@@ -133,6 +138,70 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
+	my_addr = gensec_get_my_addr(gensec_security, &my_port);
+	if (my_addr) {
+		struct sockaddr_in sock_addr;
+		struct ipv4_addr addr;
+
+		/* TODO:  This really should be in a utility function somewhere */
+		ZERO_STRUCT(sock_addr);
+#ifdef HAVE_SOCK_SIN_LEN
+		sock_addr.sin_len		= sizeof(sock_addr);
+#endif
+		addr				= interpret_addr2(my_addr);
+		sock_addr.sin_addr.s_addr	= addr.addr;
+		sock_addr.sin_port		= htons(my_port);
+		sock_addr.sin_family	= PF_INET;
+		
+		ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, 
+					    (struct sockaddr *)&sock_addr, &my_krb5_addr);
+		if (ret) {
+			DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
+				 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
+							    ret, gensec_krb5_state)));
+			talloc_free(gensec_krb5_state);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+	}
+
+	peer_addr = gensec_get_my_addr(gensec_security, &peer_port);
+	if (peer_addr) {
+		struct sockaddr_in sock_addr;
+		struct ipv4_addr addr;
+
+		/* TODO:  This really should be in a utility function somewhere */
+		ZERO_STRUCT(sock_addr);
+#ifdef HAVE_SOCK_SIN_LEN
+		sock_addr.sin_len		= sizeof(sock_addr);
+#endif
+		addr				= interpret_addr2(peer_addr);
+		sock_addr.sin_addr.s_addr	= addr.addr;
+		sock_addr.sin_port		= htons(peer_port);
+		sock_addr.sin_family	= PF_INET;
+		
+		ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, 
+					    (struct sockaddr *)&sock_addr, &peer_krb5_addr);
+		if (ret) {
+			DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
+				 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
+							    ret, gensec_krb5_state)));
+			talloc_free(gensec_krb5_state);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+	}
+
+	ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context, 
+				     gensec_krb5_state->auth_context,
+				     my_addr ? &my_krb5_addr : NULL, 
+				     peer_addr ? &peer_krb5_addr : NULL);
+	if (ret) {
+		DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n", 
+			 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
+						    ret, gensec_krb5_state)));
+		talloc_free(gensec_krb5_state);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	return NT_STATUS_OK;
 }
 
@@ -425,11 +494,12 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 		}
 		return nt_status;
 	}
+
 	case GENSEC_KRB5_DONE:
-		return NT_STATUS_OK;
+	default:
+		/* Asking too many times... */
+		return NT_STATUS_INVALID_PARAMETER;
 	}
-	
-	return NT_STATUS_INVALID_PARAMETER;
 }
 
 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, 
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 7e165ae349..6dcce3254d 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -45,8 +45,8 @@ typedef BOOL (*kdc_process_fn_t)(struct kdc_server *kdc,
 				 TALLOC_CTX *mem_ctx, 
 				 DATA_BLOB *input, 
 				 DATA_BLOB *reply,
-				 const char *src_addr,
-				 int src_port);
+				 const char *peer_address, int peer_port,
+				 const char *my_address, int my_port);
 
 /* hold information about one kdc socket */
 struct kdc_socket {
@@ -116,6 +116,8 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket)
 	size_t nread, dsize;
 	const char *src_addr;
 	int src_port;
+	const char *my_addr;
+	int my_port;
 	int ret;
 
 	status = socket_pending(kdc_socket->sock, &dsize);
@@ -140,15 +142,24 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket)
 	talloc_steal(tmp_ctx, src_addr);
 	blob.length = nread;
 	
-	DEBUG(2,("Received krb5 UDP packet of length %lu from %s:%u\n", 
+	DEBUG(10,("Received krb5 UDP packet of length %lu from %s:%u\n", 
 		 (long)blob.length, src_addr, (uint16_t)src_port));
 	
+	my_addr = socket_get_my_addr(kdc_socket->sock, tmp_ctx);
+	if (!my_addr) {
+		talloc_free(tmp_ctx);
+		return;
+	}
+	my_port = socket_get_my_port(kdc_socket->sock);
+
+
 	/* Call krb5 */
 	ret = kdc_socket->process(kdc_socket->kdc, 
 				  tmp_ctx, 
 				  &blob,  
 				  &reply,
-				  src_addr, src_port);
+				  src_addr, src_port,
+				  my_addr, my_port);
 	if (!ret) {
 		talloc_free(tmp_ctx);
 		return;
@@ -205,19 +216,28 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
 							     struct kdc_tcp_connection);
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	TALLOC_CTX *tmp_ctx = talloc_new(kdcconn);
-	const char *src_addr;
-	int src_port;
 	int ret;
 	DATA_BLOB input, reply;
+	const char *src_addr;
+	int src_port;
+	const char *my_addr;
+	int my_port;
 
 	talloc_steal(tmp_ctx, blob.data);
 
 	src_addr = socket_get_peer_addr(kdcconn->conn->socket, tmp_ctx);
-	if (!src_addr) goto nomem;
-	src_port = socket_get_peer_port(kdcconn->conn->socket);
+	if (!src_addr) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+	src_port = socket_get_my_port(kdcconn->conn->socket);
 
-	DEBUG(2,("Received krb5 TCP packet of length %lu from %s:%u\n", 
-		 (long)blob.length - 4, src_addr, src_port));
+	my_addr = socket_get_my_addr(kdcconn->conn->socket, tmp_ctx);
+	if (!my_addr) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+	my_port = socket_get_my_port(kdcconn->conn->socket);
 
 	/* Call krb5 */
 	input = data_blob_const(blob.data + 4, blob.length - 4); 
@@ -226,16 +246,18 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
 			       tmp_ctx,
 			       &input,
 			       &reply,
-			       src_addr, src_port);
+			       src_addr, src_port,
+			       my_addr, my_port);
 	if (!ret) {
-		status = NT_STATUS_INTERNAL_ERROR;
-		goto failed;
+		talloc_free(tmp_ctx);
+		return NT_STATUS_INTERNAL_ERROR;
 	}
 
 	/* and now encode the reply */
 	blob = data_blob_talloc(kdcconn, NULL, reply.length + 4);
 	if (!blob.data) {
-		goto nomem;
+		talloc_free(tmp_ctx);
+		return NT_STATUS_NO_MEMORY;
 	}
 
 	RSIVAL(blob.data, 0, reply.length);
@@ -243,17 +265,13 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
 
 	status = packet_send(kdcconn->packet, blob);
 	if (!NT_STATUS_IS_OK(status)) {
-		goto failed;
+		talloc_free(tmp_ctx);
+		return status;
 	}
 
 	/* the call isn't needed any more */
 	talloc_free(tmp_ctx);
 	return NT_STATUS_OK;
-nomem:
-	status = NT_STATUS_NO_MEMORY;
-
-failed:
-	return status;
 }
 
 /*
@@ -294,31 +312,35 @@ static BOOL kdc_process(struct kdc_server *kdc,
 			TALLOC_CTX *mem_ctx, 
 			DATA_BLOB *input, 
 			DATA_BLOB *reply,
-			const char *src_addr,
-			int src_port)
+			const char *peer_addr,
+			int peer_port,
+			const char *my_addr,
+			int my_port)
 {
 	int ret;	
 	krb5_data k5_reply;
 	struct ipv4_addr addr;
-	struct sockaddr_in src_sock_addr;
+	struct sockaddr_in peer_sock_addr;
 
 	/* TODO:  This really should be in a utility function somewhere */
-	ZERO_STRUCT(src_sock_addr);
+	ZERO_STRUCT(peer_sock_addr);
 #ifdef HAVE_SOCK_SIN_LEN
-	src_sock_addr.sin_len		= sizeof(src_sock_addr);
+	peer_sock_addr.sin_len		= sizeof(peer_sock_addr);
 #endif
-	addr				= interpret_addr2(src_addr);
-	src_sock_addr.sin_addr.s_addr	= addr.addr;
-	src_sock_addr.sin_port		= htons(src_port);
-	src_sock_addr.sin_family	= PF_INET;
+	addr				= interpret_addr2(peer_addr);
+	peer_sock_addr.sin_addr.s_addr	= addr.addr;
+	peer_sock_addr.sin_port		= htons(peer_port);
+	peer_sock_addr.sin_family	= PF_INET;
+
+	DEBUG(10,("Received KDC packet of length %lu from %s\n", 
+		 (long)input->length - 4, peer_addr));
 
-	
 	ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context, 
 					    kdc->config,
 					    input->data, input->length,
 					    &k5_reply,
-					    src_addr,
-					    (struct sockaddr *)&src_sock_addr);
+					    peer_addr,
+					    (struct sockaddr *)&peer_sock_addr);
 	if (ret == -1) {
 		*reply = data_blob(NULL, 0);
 		return False;
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 0cf3199c52..f9dbbefb9a 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -33,8 +33,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		      TALLOC_CTX *mem_ctx, 
 		      DATA_BLOB *input, 
 		      DATA_BLOB *reply,
-		      const char *from,
-		      int src_port);
+		      const char *peer_addr,
+		      int peer_port,
+		      const char *my_addr,
+		      int my_port);
 
 /*
   top level context structure for the kdc server
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index e6f0ae9dd7..ee6317792b 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -178,7 +178,10 @@ static BOOL kpasswdd_change_password(struct kdc_server *kdc,
 						reply);
 	}
 	
-	DEBUG(3, ("Changing password of %s\n", dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
+	DEBUG(3, ("Changing password of %s\\%s (%s)\n", 
+		  session_info->server_info->domain_name,
+		  session_info->server_info->account_name,
+		  dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
 
 	/* User password change */
 	status = samdb_set_password_sid(samdb, mem_ctx, 
@@ -203,14 +206,7 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
 				    DATA_BLOB *input, 
 				    DATA_BLOB *reply)
 {
-	NTSTATUS status;
-	enum samr_RejectReason reject_reason;
-	struct samr_DomInfo1 *dominfo;
-	struct ldb_context *samdb;
 	struct auth_session_info *session_info;
-	struct ldb_message *msg = ldb_msg_new(gensec_security);
-	krb5_context context = kdc->smb_krb5_context->krb5_context;
-	int ret;
 	if (!msg) {
 		return False;
 	}
@@ -236,14 +232,22 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
 	}
 	case KRB5_KPASSWD_VERS_SETPW:
 	{
-		size_t len;
+		NTSTATUS status;
+		enum samr_RejectReason reject_reason;
+		struct samr_DomInfo1 *dominfo;
+		struct ldb_context *samdb;
+		struct ldb_message *msg = ldb_msg_new(mem_ctx);
+		krb5_context context = kdc->smb_krb5_context->krb5_context;
+
 		ChangePasswdDataMS chpw;
 		char *password;
+
 		krb5_principal principal;
 		char *set_password_on_princ;
 		struct ldb_dn *set_password_on_dn;
 
-		samdb = samdb_connect(gensec_security, session_info);
+		size_t len;
+		int ret;
 
 		ret = decode_ChangePasswdDataMS(input->data, input->length,
 						&chpw, &len);
@@ -294,11 +298,35 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
 		
 		krb5_free_principal(context, principal);
 		
+		samdb = samdb_connect(mem_ctx, session_info);
+		if (!samdb) {
+			return kpasswdd_make_error_reply(kdc, mem_ctx, 
+							 KRB5_KPASSWD_HARDERROR,
+							 "Unable to open database!",
+							 reply);
+		}
+
+		DEBUG(3, ("%s\\%s (%s) is changing password of %s\n", 
+			  session_info->server_info->domain_name,
+			  session_info->server_info->account_name,
+			  dom_sid_string(mem_ctx, session_info->security_token->user_sid), 
+			  set_password_on_princ));
+		ret = ldb_transaction_start(samdb);
+		if (ret) {
+			status = NT_STATUS_TRANSACTION_ABORTED;
+			return kpasswd_make_pwchange_reply(kdc, mem_ctx, 
+							   status,
+							   reject_reason, 
+							   dominfo, 
+							   reply);
+		}
+
 		status = crack_user_principal_name(samdb, mem_ctx, 
 						   set_password_on_princ, 
 						   &set_password_on_dn, NULL);
 		free(set_password_on_princ);
 		if (!NT_STATUS_IS_OK(status)) {
+			ldb_transaction_cancel(samdb);
 			return kpasswd_make_pwchange_reply(kdc, mem_ctx, 
 							   status,
 							   reject_reason, 
@@ -306,14 +334,48 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
 							   reply);
 		}
 
-		/* Admin password set */
-		status = samdb_set_password(samdb, mem_ctx,
-					    set_password_on_dn, NULL,
-					    msg, password, NULL, NULL, 
-					    False, /* this is not a user password change */
-					    True, /* run restriction tests */
-					    &reject_reason, &dominfo);
+		msg = ldb_msg_new(mem_ctx);
+		if (msg == NULL) {
+			ldb_transaction_cancel(samdb);
+			status = NT_STATUS_NO_MEMORY;
+		} else {
+			msg->dn = ldb_dn_copy(msg, set_password_on_dn);
+			if (!msg->dn) {
+				status = NT_STATUS_NO_MEMORY;
+			}
+		}
+
+		if (NT_STATUS_IS_OK(status)) {
+			/* Admin password set */
+			status = samdb_set_password(samdb, mem_ctx,
+						    set_password_on_dn, NULL,
+						    msg, password, NULL, NULL, 
+						    False, /* this is not a user password change */
+						    True, /* run restriction tests */
+						    &reject_reason, &dominfo);
+		}
 
+		if (NT_STATUS_IS_OK(status)) {
+			/* modify the samdb record */
+			ret = samdb_replace(samdb, mem_ctx, msg);
+			if (ret != 0) {
+				DEBUG(2,("Failed to modify record to set password on %s: %s\n",
+					 ldb_dn_linearize(mem_ctx, msg->dn),
+					 ldb_errstring(samdb)));
+				status = NT_STATUS_ACCESS_DENIED;
+			}
+		}
+		if (NT_STATUS_IS_OK(status)) {
+			ret = ldb_transaction_commit(samdb);
+			if (ret != 0) {
+				DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
+					 ldb_dn_linearize(mem_ctx, msg->dn),
+					 ldb_errstring(samdb)));
+				status = NT_STATUS_TRANSACTION_ABORTED;
+			}
+		} else {
+			ldb_transaction_cancel(samdb);
+		}
 		return kpasswd_make_pwchange_reply(kdc, mem_ctx, 
 						   status,
 						   reject_reason, 
@@ -322,11 +384,11 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
 	}
 	default:
 		return kpasswdd_make_error_reply(kdc, mem_ctx, 
-						KRB5_KPASSWD_BAD_VERSION,
-						talloc_asprintf(mem_ctx, 
-								"Protocol version %u not supported", 
-								version),
-						reply);
+						 KRB5_KPASSWD_BAD_VERSION,
+						 talloc_asprintf(mem_ctx, 
+								 "Protocol version %u not supported", 
+								 version),
+						 reply);
 	}
 	return True;
 }
@@ -335,8 +397,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		      TALLOC_CTX *mem_ctx, 
 		      DATA_BLOB *input, 
 		      DATA_BLOB *reply,
-		      const char *from,
-		      int src_port)
+		      const char *peer_addr,
+		      int peer_port,
+		      const char *my_addr,
+		      int my_port)
 {
 	BOOL ret;
 	const uint16_t header_len = 6;
@@ -355,6 +419,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		return False;
 	}
 
+	/* Be parinoid.  We need to ensure we don't just let the
+	 * caller lead us into a buffer overflow */
 	if (input->length <= header_len) {
 		talloc_free(tmp_ctx);
 		return False;
@@ -366,6 +432,9 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		return False;
 	}
 
+	/* There are two different versions of this protocol so far,
+	 * plus others in the standards pipe.  Fortunetly they all
+	 * take a very similar framing */
 	version = RSVAL(input->data, 2);
 	ap_req_len = RSVAL(input->data, 4);
 	if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
@@ -407,7 +476,26 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		return ret;
 	}
 	
-	gensec_set_credentials(gensec_security, server_credentials);
+	nt_status = gensec_set_credentials(gensec_security, server_credentials);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return False;
+	}
+
+	/* The kerberos PRIV packets include these addresses.  MIT
+	 * clients check that they are present */
+	nt_status = gensec_set_peer_addr(gensec_security, peer_addr, peer_port);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return False;
+	}
+	nt_status = gensec_set_my_addr(gensec_security, my_addr, my_port);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return False;
+	}
+
+	/* We want the GENSEC wrap calls to generate PRIV tokens */
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
 
 	nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
@@ -416,6 +504,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		return False;
 	}
 
+	/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
 	nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
 	if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		
@@ -433,6 +522,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		return ret;
 	}
 
+	/* Extract the data from the KRB-PRIV half of the message */
 	nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, 
@@ -449,6 +539,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		return ret;
 	}
 
+	/* Figure out something to do with it (probably changing a password...) */
 	ret = kpasswd_process_request(kdc, tmp_ctx, 
 				      gensec_security, 
 				      version, 
@@ -457,7 +548,9 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		/* Argh! */
 		return False;
 	}
-	
+
+	/* And wrap up the reply: This ensures that the error message
+	 * or success can be verified by the client */
 	nt_status = gensec_wrap(gensec_security, tmp_ctx, 
 				&kpasswd_rep, &krb_priv_rep);
 	if (!NT_STATUS_IS_OK(nt_status)) {