diff options
| author | Andrew Tridgell <tridge@samba.org> | 2010-11-12 17:23:34 +1100 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-11-12 08:03:20 +0000 |
| commit | 1ec8d55e275128f2419fb481f88c7d3d87894506 (patch) | |
| tree | 4e433026fcbba5b87d48f1113aa65852582a81f4 /source4/kdc/kpasswdd.c | |
| parent | e7fb5a6c9142d4dcffd4a331d3aa78ac543db34a (diff) | |
| download | samba-1ec8d55e275128f2419fb481f88c7d3d87894506.tar.gz samba-1ec8d55e275128f2419fb481f88c7d3d87894506.tar.bz2 samba-1ec8d55e275128f2419fb481f88c7d3d87894506.zip | |
s4-kdc: added proxying of kdc requests for RODCs
when we are an RODC and we get a request for a principal that we don't
have the right secrets for, we need to proxy the request to a
writeable DC. This happens for both TCP and UDP requests, for both
krb5 and kpasswd
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
Diffstat (limited to 'source4/kdc/kpasswdd.c')
| -rw-r--r-- | source4/kdc/kpasswdd.c | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index ace8a89371..88d86cd6e4 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -177,22 +177,11 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, struct ldb_message **res; int ret; - /* Connect to a SAMDB with system privileges for fetching the old pw - * hashes. */ - samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, - system_session(kdc->task->lp_ctx), 0); - if (!samdb) { - return kpasswdd_make_error_reply(kdc, mem_ctx, - KRB5_KPASSWD_HARDERROR, - "Failed to open samdb", - reply); - } - /* Fetch the old hashes to get the old password in order to perform * the password change operation. Naturally it would be much better to * have a password hash from an authentication around but this doesn't * seem to be the case here. */ - ret = gendb_search(samdb, mem_ctx, NULL, &res, attrs, + ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs, "(&(objectClass=user)(sAMAccountName=%s))", session_info->server_info->account_name); if (ret != 1) { @@ -478,6 +467,11 @@ enum kdc_process_ret kpasswdd_process(struct kdc_server *kdc, return KDC_PROCESS_FAILED; } + if (kdc->am_rodc) { + talloc_free(tmp_ctx); + return KDC_PROCESS_PROXY; + } + /* Be parinoid. We need to ensure we don't just let the * caller lead us into a buffer overflow */ if (input->length <= header_len) { @@ -508,6 +502,7 @@ enum kdc_process_ret kpasswdd_process(struct kdc_server *kdc, server_credentials = cli_credentials_init(tmp_ctx); if (!server_credentials) { DEBUG(1, ("Failed to init server credentials\n")); + talloc_free(tmp_ctx); return KDC_PROCESS_FAILED; } @@ -622,6 +617,7 @@ enum kdc_process_ret kpasswdd_process(struct kdc_server *kdc, &kpasswd_req, &kpasswd_rep); if (!ret) { /* Argh! */ + talloc_free(tmp_ctx); return KDC_PROCESS_FAILED; } @@ -647,6 +643,7 @@ enum kdc_process_ret kpasswdd_process(struct kdc_server *kdc, reply: *reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len); if (!reply->data) { + talloc_free(tmp_ctx); return KDC_PROCESS_FAILED; } |