diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-01-24 05:31:08 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:26 -0500 |
commit | 28d78c40ade22c4b5d445dbe23f18ca210e41f8c (patch) | |
tree | d3cd9bdaca50e4cd7af031f1b2550836b9190417 /source4/kdc | |
parent | fc29c3250af5fbcd81725e38fb48ca1ec5ae23bf (diff) | |
download | samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.gz samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.tar.bz2 samba-28d78c40ade22c4b5d445dbe23f18ca210e41f8c.zip |
r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
Diffstat (limited to 'source4/kdc')
-rw-r--r-- | source4/kdc/config.mk | 15 | ||||
-rw-r--r-- | source4/kdc/hdb-ldb.c | 21 | ||||
-rw-r--r-- | source4/kdc/kdc.c | 9 | ||||
-rw-r--r-- | source4/kdc/kdc.h | 4 | ||||
-rw-r--r-- | source4/kdc/kpasswdd.c | 5 |
5 files changed, 45 insertions, 9 deletions
diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk index f1aef75df5..32f10c93a5 100644 --- a/source4/kdc/config.mk +++ b/source4/kdc/config.mk @@ -6,10 +6,21 @@ NOPROTO = YES OBJ_FILES = \ kdc.o \ - pac-glue.o \ - hdb-ldb.o \ kpasswdd.o REQUIRED_SUBSYSTEMS = \ LIBLDB KERBEROS_LIB HEIMDAL_KDC HEIMDAL_HDB # End SUBSYSTEM KDC ####################### + +####################### +# Start SUBSYSTEM KDC +[SUBSYSTEM::HDB_LDB] +NOPROTO = YES +OBJ_FILES = \ + hdb-ldb.o \ + pac-glue.o +REQUIRED_SUBSYSTEMS = \ + LIBLDB KERBEROS_LIB HEIMDAL_HDB +# End SUBSYSTEM KDC +####################### + diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index 43009c1c1b..a155e24e7e 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -948,8 +948,13 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db) return 0; } -NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, - krb5_context context, struct HDB **db, const char *arg) +/* This interface is to be called by the KDC, which is expecting Samba + * calling conventions. It is also called by a wrapper + * (hdb_ldb_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb + * code */ + +NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx, + krb5_context context, struct HDB **db, const char *arg) { NTSTATUS nt_status; struct auth_session_info *session_info; @@ -1008,3 +1013,15 @@ NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } + +krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char *arg) +{ + NTSTATUS nt_status; + /* Disgusting, ugly hack, but it means one less private hook */ + nt_status = kdc_hdb_ldb_create(context->mem_ctx, context, db, arg); + + if (NT_STATUS_IS_OK(nt_status)) { + return 0; + } + return EINVAL; +} diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 12672bee53..4b958fdce8 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -570,13 +570,18 @@ static void kdc_task_init(struct task_server *task) } kdc->config->num_db = 1; - status = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, - &kdc->config->db[0], NULL); + status = kdc_hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, + &kdc->config->db[0], NULL); if (!NT_STATUS_IS_OK(status)) { task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed"); return; } + ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops); + if(ret) { + task_server_terminate(task, "kdc: failed to register hdb keytab"); + return; + } /* start listening on the configured network interfaces */ status = kdc_startup_interfaces(kdc); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h index 1038c7df95..df6c5889e6 100644 --- a/source4/kdc/kdc.h +++ b/source4/kdc/kdc.h @@ -29,8 +29,8 @@ struct kdc_server; -NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, - krb5_context context, struct HDB **db, const char *arg); +NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx, + krb5_context context, struct HDB **db, const char *arg); BOOL kpasswdd_process(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, DATA_BLOB *input, diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 05aced904d..8e6448435b 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -457,7 +457,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc, DEBUG(1, ("Failed to init server credentials\n")); return False; } - + + /* We want the credentials subsystem to use the krb5 context + * we already have, rather than a new context */ + cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context); cli_credentials_set_conf(server_credentials); nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw"); if (!NT_STATUS_IS_OK(nt_status)) { |