summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-01-24 05:31:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:51:26 -0500
commit28d78c40ade22c4b5d445dbe23f18ca210e41f8c (patch)
treed3cd9bdaca50e4cd7af031f1b2550836b9190417 /source4/kdc
parentfc29c3250af5fbcd81725e38fb48ca1ec5ae23bf (diff)
downloadsamba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.gz
samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.bz2
samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.zip
r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/config.mk15
-rw-r--r--source4/kdc/hdb-ldb.c21
-rw-r--r--source4/kdc/kdc.c9
-rw-r--r--source4/kdc/kdc.h4
-rw-r--r--source4/kdc/kpasswdd.c5
5 files changed, 45 insertions, 9 deletions
diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk
index f1aef75df5..32f10c93a5 100644
--- a/source4/kdc/config.mk
+++ b/source4/kdc/config.mk
@@ -6,10 +6,21 @@
NOPROTO = YES
OBJ_FILES = \
kdc.o \
- pac-glue.o \
- hdb-ldb.o \
kpasswdd.o
REQUIRED_SUBSYSTEMS = \
LIBLDB KERBEROS_LIB HEIMDAL_KDC HEIMDAL_HDB
# End SUBSYSTEM KDC
#######################
+
+#######################
+# Start SUBSYSTEM KDC
+[SUBSYSTEM::HDB_LDB]
+NOPROTO = YES
+OBJ_FILES = \
+ hdb-ldb.o \
+ pac-glue.o
+REQUIRED_SUBSYSTEMS = \
+ LIBLDB KERBEROS_LIB HEIMDAL_HDB
+# End SUBSYSTEM KDC
+#######################
+
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 43009c1c1b..a155e24e7e 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -948,8 +948,13 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
return 0;
}
-NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx,
- krb5_context context, struct HDB **db, const char *arg)
+/* This interface is to be called by the KDC, which is expecting Samba
+ * calling conventions. It is also called by a wrapper
+ * (hdb_ldb_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb
+ * code */
+
+NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx,
+ krb5_context context, struct HDB **db, const char *arg)
{
NTSTATUS nt_status;
struct auth_session_info *session_info;
@@ -1008,3 +1013,15 @@ NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+
+krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char *arg)
+{
+ NTSTATUS nt_status;
+ /* Disgusting, ugly hack, but it means one less private hook */
+ nt_status = kdc_hdb_ldb_create(context->mem_ctx, context, db, arg);
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ return 0;
+ }
+ return EINVAL;
+}
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 12672bee53..4b958fdce8 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -570,13 +570,18 @@ static void kdc_task_init(struct task_server *task)
}
kdc->config->num_db = 1;
- status = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context,
- &kdc->config->db[0], NULL);
+ status = kdc_hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context,
+ &kdc->config->db[0], NULL);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
return;
}
+ ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops);
+ if(ret) {
+ task_server_terminate(task, "kdc: failed to register hdb keytab");
+ return;
+ }
/* start listening on the configured network interfaces */
status = kdc_startup_interfaces(kdc);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 1038c7df95..df6c5889e6 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -29,8 +29,8 @@
struct kdc_server;
-NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx,
- krb5_context context, struct HDB **db, const char *arg);
+NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx,
+ krb5_context context, struct HDB **db, const char *arg);
BOOL kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 05aced904d..8e6448435b 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -457,7 +457,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
DEBUG(1, ("Failed to init server credentials\n"));
return False;
}
-
+
+ /* We want the credentials subsystem to use the krb5 context
+ * we already have, rather than a new context */
+ cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials);
nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
if (!NT_STATUS_IS_OK(nt_status)) {