r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our

case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)

1 files changed, 19 insertions, 2 deletions

diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 43009c1c1b..a155e24e7e 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -948,8 +948,13 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
 	return 0;
 }
 
-NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, 
-			krb5_context context, struct HDB **db, const char *arg)
+/* This interface is to be called by the KDC, which is expecting Samba
+ * calling conventions.  It is also called by a wrapper
+ * (hdb_ldb_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb
+ * code */
+
+NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			    krb5_context context, struct HDB **db, const char *arg)
 {
 	NTSTATUS nt_status;
 	struct auth_session_info *session_info;
@@ -1008,3 +1013,15 @@ NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx,
 
 	return NT_STATUS_OK;
 }
+
+krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char *arg)
+{
+	NTSTATUS nt_status;
+	/* Disgusting, ugly hack, but it means one less private hook */
+	nt_status = kdc_hdb_ldb_create(context->mem_ctx, context, db, arg);
+
+	if (NT_STATUS_IS_OK(nt_status)) {
+		return 0;
+	}
+	return EINVAL;
+}