r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our

case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)

4 files changed, 29 insertions, 20 deletions

diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 219869cf3a..53350b8ed0 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -267,17 +267,12 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 		
 			cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
 		} else {
-		
-			DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
-				  cli_credentials_get_domain(cred)));
-
-			/* set anonymous as the fallback, if the machine account won't work */
-			cli_credentials_set_anonymous(cred);
-
-			talloc_free(mem_ctx);
-			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+			cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
 		}
+	} else {
+		cli_credentials_set_password(cred, password, CRED_SPECIFIED);
 	}
+
 	
 	domain = ldb_msg_find_string(msgs[0], "flatname", NULL);
 	if (domain) {
@@ -290,9 +285,6 @@ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 	}
 
 	cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
-	if (password) {
-		cli_credentials_set_password(cred, password, CRED_SPECIFIED);
-	}
 
 	cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0));
 
@@ -417,13 +409,14 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	/* search for the secret record */
+	/* search for the secret record, but only of things we can
+	 * actually update */
 	ldb_ret = gendb_search(ldb,
 			       mem_ctx, NULL,
 			       &msgs, attrs,
-			       "objectClass=kerberosSecret");
+			       "(&(objectClass=kerberosSecret)(|(secret=*)(ntPwdHash=*)))");
 	if (ldb_ret == -1) {
-		DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab"));
+		DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab:: %s", ldb_errstring(ldb)));
 		talloc_free(mem_ctx);
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
@@ -442,15 +435,13 @@ NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("Failed to read secrets for keytab update for %s\n", 
 				  filter));
-			talloc_free(mem_ctx);
-			return status;
+			continue;
 		} 
 		ret = cli_credentials_update_keytab(creds);
 		if (ret != 0) {
 			DEBUG(1, ("Failed to update keytab for %s\n", 
 				  filter));
-			talloc_free(mem_ctx);
-			return NT_STATUS_UNSUCCESSFUL;
+			continue;
 		}
 	}
 	return NT_STATUS_OK;
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 5f40ca1046..29b70d9a53 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -43,6 +43,20 @@ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
 	return 0;
 }
 
+/* This needs to be called directly after the cli_credentials_init(),
+ * otherwise we might have problems with the krb5 context already
+ * being here.
+ */
+NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, 
+					  struct smb_krb5_context *smb_krb5_context)
+{
+	if (!talloc_reference(cred, smb_krb5_context)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	cred->smb_krb5_context = smb_krb5_context;
+	return NT_STATUS_OK;
+}
+
 int cli_credentials_set_from_ccache(struct cli_credentials *cred, 
 				    enum credentials_obtained obtained)
 {
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index ad0e18b2e7..776b591ba4 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -397,9 +397,9 @@ static int create_keytab(TALLOC_CTX *parent_ctx,
 		const struct samr_Password *mach_pwd;
 		mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
 		if (!mach_pwd) {
-			talloc_free(mem_ctx);
 			DEBUG(1, ("create_keytab: Domain trust informaton for account %s not available\n",
 				  cli_credentials_get_principal(machine_account, mem_ctx)));
+			talloc_free(mem_ctx);
 			return EINVAL;
 		}
 		ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
@@ -410,6 +410,7 @@ static int create_keytab(TALLOC_CTX *parent_ctx,
 			DEBUG(1, ("create_keytab: krb5_keyblock_init failed: %s\n",
 				  smb_get_krb5_error_message(smb_krb5_context->krb5_context, 
 							     ret, mem_ctx)));
+			talloc_free(mem_ctx);
 			return ret;
 		}
 
@@ -516,6 +517,7 @@ static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
 	switch (ret) {
 	case 0:
 		break;
+	case HEIM_ERR_OPNOTSUPP:
 	case ENOENT:
 	case KRB5_KT_END:
 		/* no point enumerating if there isn't anything here */
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 8e52ac5e3f..830c803524 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -448,6 +448,8 @@ static void smb_krb5_send_and_recv_close_func(krb5_context context, void *data)
 		return ret;
 	}
 
+	(*smb_krb5_context)->krb5_context->mem_ctx = *smb_krb5_context;
+
 	talloc_steal(parent_ctx, *smb_krb5_context);
 	talloc_free(tmp_ctx);