r7993: Further work on the Krb5 PAC.

We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.

This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.

In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.

Also in this commit:

The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.

To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.

Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)

5 files changed, 93 insertions, 7 deletions

diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk
index b1de650faa..ce655dea82 100644
--- a/source4/kdc/config.mk
+++ b/source4/kdc/config.mk
@@ -5,8 +5,9 @@
 [SUBSYSTEM::KDC]
 INIT_OBJ_FILES = \
 		kdc/kdc.o \
+		kdc/pac-glue.o \
 		kdc/hdb-ldb.o
 REQUIRED_SUBSYSTEMS = \
-		LIBLDB KERBEROS_LIB
+		LIBLDB KERBEROS_LIB HEIMDAL_KDC HEIMDAL_HDB 
 # End SUBSYSTEM KDC
 #######################
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 231d7db436..0875803be0 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -40,7 +40,8 @@
 #include "system/iconv.h"
 
 enum hdb_ldb_ent_type 
-{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
+{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, 
+  HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
 
 static const char * const krb5_attrs[] = {
 	"objectClass",
@@ -980,9 +981,10 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
 	return 0;
 }
 
-krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char *arg)
+krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			       krb5_context context, struct HDB **db, const char *arg)
 {
-	*db = talloc(NULL, HDB);
+	*db = talloc(mem_ctx, HDB);
 	if (!*db) {
 		krb5_set_error_string(context, "malloc: out of memory");
 		return ENOMEM;
@@ -990,8 +992,8 @@ krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char
 
 	(*db)->hdb_master_key_set = 0;
 	(*db)->hdb_db = NULL;
-	/* in future, we could cache the connect here, but for now KISS */
 
+	/* Setup the link to LDB */
 	(*db)->hdb_db = samdb_connect(db);
 	if ((*db)->hdb_db == NULL) {
 		krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!");
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 8a7e497913..a1958b54fa 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -29,6 +29,8 @@
 #include "system/network.h"
 #include "dlinklist.h"
 
+
+
 /*
   handle fd send events on a KDC socket
 */
@@ -276,7 +278,7 @@ static void kdc_task_init(struct task_server *task)
 	}
 	kdc->config->num_db = 1;
 		
-	ret = hdb_ldb_create(kdc->smb_krb5_context->krb5_context, 
+	ret = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, 
 			     &kdc->config->db[0], lp_sam_url());
 	if (ret != 0) {
 		DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n", 
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 25f643eadd..d59fa3e2e7 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -24,8 +24,10 @@
 #include "system/kerberos.h"
 #include "auth/kerberos/kerberos.h"
 #include "heimdal/kdc/kdc.h"
+#include "kdc/pac-glue.h"
 
-krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char *arg);
+krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			       krb5_context context, struct HDB **db, const char *arg);
 
 /* hold all the info needed to send a reply */
 struct kdc_reply {
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
new file mode 100644
index 0000000000..40d11d31e9
--- /dev/null
+++ b/source4/kdc/pac-glue.c
@@ -0,0 +1,79 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   PAC Glue between Samba and the KDC
+   
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "kdc/kdc.h"
+
+ krb5_error_code samba_get_pac(krb5_context context, 
+			      struct krb5_kdc_configuration *config,
+			      krb5_principal client, 
+			      krb5_keyblock *keyblock, 
+			      krb5_data *pac) 
+{
+	krb5_error_code ret;
+	NTSTATUS nt_status;
+	struct auth_serversupplied_info *server_info;
+	char *username, *p;
+	const char *realm;
+	TALLOC_CTX *mem_ctx = talloc_named(config, 0, "samba_get_pac context");
+	if (!mem_ctx) {
+		return ENOMEM;
+	}
+
+	ret = krb5_unparse_name(context, client, &username);
+
+	if (ret != 0) {
+		krb5_set_error_string(context, "get pac: could not parse principal");
+		krb5_warnx(context, "get pac: could not parse principal");
+		talloc_free(mem_ctx);
+		return ret;
+	}
+
+	/* parse the principal name */
+	realm = krb5_principal_get_realm(context, client);
+	username = talloc_strdup(mem_ctx, username);
+	p = strchr(username, '@');
+	if (p) {
+		p[0] = '\0';
+	}
+
+
+	nt_status = sam_get_server_info(mem_ctx, username, realm, 
+					data_blob(NULL, 0), data_blob(NULL, 0),
+					&server_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(0, ("Getting user info for PAC failed: %s\n",
+			  nt_errstr(nt_status)));
+		talloc_free(mem_ctx);
+		return EINVAL;
+	}
+
+	ret = kerberos_encode_pac(mem_ctx, server_info, 
+				  context, 
+				  keyblock,
+				  pac);
+
+	talloc_free(mem_ctx);
+	
+	return ret;
+}