s4-hdb: go back to a separate samdb for the KDC

The change to use a common system_session broke replication as the KDC
forces CRED_DONT_USE_KERBEROS on session->credentials, which is shared
with other parts of the system.

This should be fixed once we confirm whether the ldap backend actually
relies on CRED_DONT_USE_KERBEROS

1 files changed, 16 insertions, 1 deletions

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 12f354409e..2418e5c63f 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1585,6 +1585,8 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
 			      krb5_context context, struct HDB **db)
 {
 	struct auth_session_info *session_info;
+	NTSTATUS nt_status;
+
 	*db = talloc(mem_ctx, HDB);
 	if (!*db) {
 		krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
@@ -1595,17 +1597,30 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
 	(*db)->hdb_db = NULL;
 	(*db)->hdb_capability_flags = 0;
 
+#if 1
+	/* we would prefer to use system_session(), as that would
+	 * allow us to share the samdb backend context with other parts of the
+	 * system. For now we can't as we need to override the
+	 * credentials to set CRED_DONT_USE_KERBEROS, which would
+	 * break other users of the system_session */	 
+	DEBUG(0,("FIXME: Using new system session for hdb\n"));
+	nt_status = auth_system_session_info(*db, lp_ctx, &session_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+               return nt_status;
+	}
+#else
 	session_info = system_session(lp_ctx);
 	if (session_info == NULL) {
 		return NT_STATUS_INTERNAL_ERROR;
 	}
+#endif
 	
 	/* The idea here is very simple.  Using Kerberos to
 	 * authenticate the KDC to the LDAP server is higly likely to
 	 * be circular.
 	 *
 	 * In future we may set this up to use EXERNAL and SSL
-	 * certificates, for now it will almost certainly be NTLMSSP
+	 * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME
 	*/
 	
 	cli_credentials_set_kerberos_state(session_info->credentials,