r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5

authentication.  This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.

This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC.  This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.

The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.

We also now allow for the old secret to be stored into the
credentials, allowing service password changes.

Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)

1 files changed, 5 insertions, 0 deletions

diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index 324b518462..aa2a0d0ac2 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -48,10 +48,12 @@ struct cli_credentials {
 	enum credentials_obtained realm_obtained;
 	enum credentials_obtained ccache_obtained;
 	enum credentials_obtained principal_obtained;
+	enum credentials_obtained keytab_obtained;
 
 	const char *workstation;
 	const char *username;
 	const char *password;
+	const char *old_password;
 	const char *domain;
 	const char *realm;
 	const char *principal;
@@ -59,6 +61,7 @@ struct cli_credentials {
 	struct samr_Password *nt_hash;
 
 	struct ccache_container *ccache;
+	struct keytab_container *keytab;
 
 	const char *(*workstation_cb) (struct cli_credentials *);
 	const char *(*password_cb) (struct cli_credentials *);
@@ -74,6 +77,8 @@ struct cli_credentials {
 	enum netr_SchannelType secure_channel_type;
 	int kvno;
 
+	struct smb_krb5_context *smb_krb5_context;
+
 	/* We are flagged to get machine account details from the
 	 * secrets.ldb when we are asked for a username or password */