r19604: This is a massive commit, and I appologise in advance for it's size.

This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.

This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted:  we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code.  We have adapted to upstream's choice of API in these cases.

In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC.  This matches windows behavour.  We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).

This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.

Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)

5 files changed, 26 insertions, 12 deletions

diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 7359fe63c3..8fd69aecb1 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -462,7 +462,7 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
 
 	struct ldb_result *res = NULL;
 
-	ret = krb5_unparse_name_norealm(context, principal, &short_princ);
+	ret = krb5_unparse_name_flags(context, principal,  KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ);
 
 	if (ret != 0) {
 		krb5_set_error_string(context, "LDB_lookup_principal: could not parse principal");
@@ -713,7 +713,9 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db,
 		struct ldb_dn *user_dn, *domain_dn;
 		char *principal_string;
 		
-		ret = krb5_unparse_name_norealm(context, principal, &principal_string);
+		ret = krb5_unparse_name_flags(context, principal, 
+					      KRB5_PRINCIPAL_UNPARSE_NO_REALM, 
+					      &principal_string);
 		if (ret != 0) {
 			return ret;
 		}
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 5da6be6eca..7d6155e1c0 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -49,7 +49,8 @@ typedef BOOL (*kdc_process_fn_t)(struct kdc_server *kdc,
 				 DATA_BLOB *input, 
 				 DATA_BLOB *reply,
 				 struct socket_address *peer_addr, 
-				 struct socket_address *my_addr);
+				 struct socket_address *my_addr, 
+				 int datagram);
 
 /* hold information about one kdc socket */
 struct kdc_socket {
@@ -157,7 +158,8 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket)
 				  tmp_ctx, 
 				  &blob,  
 				  &reply,
-				  src, my_addr);
+				  src, my_addr,
+				  1 /* Datagram */);
 	if (!ret) {
 		talloc_free(tmp_ctx);
 		return;
@@ -240,7 +242,8 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
 			       &input,
 			       &reply,
 			       src_addr,
-			       my_addr);
+			       my_addr,
+			       0 /* Not datagram */);
 	if (!ret) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_INTERNAL_ERROR;
@@ -306,10 +309,12 @@ static BOOL kdc_process(struct kdc_server *kdc,
 			DATA_BLOB *input, 
 			DATA_BLOB *reply,
 			struct socket_address *peer_addr, 
-			struct socket_address *my_addr)
+			struct socket_address *my_addr,
+			int datagram_reply)
 {
 	int ret;	
 	krb5_data k5_reply;
+	krb5_data_zero(&k5_reply);
 
 	DEBUG(10,("Received KDC packet of length %lu from %s:%d\n", 
 		  (long)input->length - 4, peer_addr->addr, peer_addr->port));
@@ -319,13 +324,18 @@ static BOOL kdc_process(struct kdc_server *kdc,
 					    input->data, input->length,
 					    &k5_reply,
 					    peer_addr->addr,
-					    peer_addr->sockaddr);
+					    peer_addr->sockaddr,
+					    datagram_reply);
 	if (ret == -1) {
 		*reply = data_blob(NULL, 0);
 		return False;
 	}
-	*reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
-	krb5_data_free(&k5_reply);
+	if (k5_reply.length) {
+		*reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
+		krb5_free_data_contents(kdc->smb_krb5_context->krb5_context, &k5_reply);
+	} else {
+		*reply = data_blob(NULL, 0);	
+	}
 	return True;
 }
 
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index f0d2479a25..9cd51f1d97 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -37,7 +37,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		      DATA_BLOB *input, 
 		      DATA_BLOB *reply,
 		      struct socket_address *peer_addr, 
-		      struct socket_address *my_addr);
+		      struct socket_address *my_addr,
+		      int datagram_reply);
 
 /*
   top level context structure for the kdc server
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 0dcbf9833d..6bc10cdced 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -410,7 +410,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		      DATA_BLOB *input, 
 		      DATA_BLOB *reply,
 		      struct socket_address *peer_addr,
-		      struct socket_address *my_addr)
+		      struct socket_address *my_addr,
+		      int datagram_reply)
 {
 	BOOL ret;
 	const uint16_t header_len = 6;
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index e80ad060ed..143690ff0d 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -32,7 +32,7 @@
 struct krb5_dh_moduli;
 struct _krb5_krb_auth_data;
 
-#include "heimdal/lib/krb5/krb5-private.h"
+#include "heimdal/lib/krb5/krb5_locl.h"
 
 /* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */
 static krb5_error_code samba_get_pac(krb5_context context,