r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our

case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)

5 files changed, 45 insertions, 9 deletions

diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk
index f1aef75df5..32f10c93a5 100644
--- a/source4/kdc/config.mk
+++ b/source4/kdc/config.mk
@@ -6,10 +6,21 @@
 NOPROTO = YES
 OBJ_FILES = \
 		kdc.o \
-		pac-glue.o \
-		hdb-ldb.o \
 		kpasswdd.o
 REQUIRED_SUBSYSTEMS = \
 		LIBLDB KERBEROS_LIB HEIMDAL_KDC HEIMDAL_HDB 
 # End SUBSYSTEM KDC
 #######################
+
+#######################
+# Start SUBSYSTEM KDC
+[SUBSYSTEM::HDB_LDB]
+NOPROTO = YES
+OBJ_FILES = \
+		hdb-ldb.o \
+		pac-glue.o 
+REQUIRED_SUBSYSTEMS = \
+		LIBLDB KERBEROS_LIB HEIMDAL_HDB 
+# End SUBSYSTEM KDC
+#######################
+
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 43009c1c1b..a155e24e7e 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -948,8 +948,13 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
 	return 0;
 }
 
-NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, 
-			krb5_context context, struct HDB **db, const char *arg)
+/* This interface is to be called by the KDC, which is expecting Samba
+ * calling conventions.  It is also called by a wrapper
+ * (hdb_ldb_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb
+ * code */
+
+NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			    krb5_context context, struct HDB **db, const char *arg)
 {
 	NTSTATUS nt_status;
 	struct auth_session_info *session_info;
@@ -1008,3 +1013,15 @@ NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx,
 
 	return NT_STATUS_OK;
 }
+
+krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char *arg)
+{
+	NTSTATUS nt_status;
+	/* Disgusting, ugly hack, but it means one less private hook */
+	nt_status = kdc_hdb_ldb_create(context->mem_ctx, context, db, arg);
+
+	if (NT_STATUS_IS_OK(nt_status)) {
+		return 0;
+	}
+	return EINVAL;
+}
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 12672bee53..4b958fdce8 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -570,13 +570,18 @@ static void kdc_task_init(struct task_server *task)
 	}
 	kdc->config->num_db = 1;
 		
-	status = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, 
-				   &kdc->config->db[0], NULL);
+	status = kdc_hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, 
+				    &kdc->config->db[0], NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
 		return; 
 	}
 
+	ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops);
+	if(ret) {
+		task_server_terminate(task, "kdc: failed to register hdb keytab");
+		return;
+	}
 	/* start listening on the configured network interfaces */
 	status = kdc_startup_interfaces(kdc);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 1038c7df95..df6c5889e6 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -29,8 +29,8 @@
 
 struct kdc_server;
 
-NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, 
-			krb5_context context, struct HDB **db, const char *arg);
+NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			    krb5_context context, struct HDB **db, const char *arg);
 BOOL kpasswdd_process(struct kdc_server *kdc,
 		      TALLOC_CTX *mem_ctx, 
 		      DATA_BLOB *input, 
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 05aced904d..8e6448435b 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -457,7 +457,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
 		DEBUG(1, ("Failed to init server credentials\n"));
 		return False;
 	}
-	
+
+	/* We want the credentials subsystem to use the krb5 context
+	 * we already have, rather than a new context */	
+	cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
 	cli_credentials_set_conf(server_credentials);
 	nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
 	if (!NT_STATUS_IS_OK(nt_status)) {