diff options
author | Simo Sorce <idra@samba.org> | 2012-04-19 17:54:57 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2012-04-20 01:53:37 +0200 |
commit | 4b29cf5f66c5e75f759a5c2a79ba26629f907778 (patch) | |
tree | bd2d0eadafc8387bb7dc79166af4beb0d926d63f /source4/rpc_server | |
parent | 37e98ff252edc5e76d2c74a8459247ffcb5fd101 (diff) | |
download | samba-4b29cf5f66c5e75f759a5c2a79ba26629f907778.tar.gz samba-4b29cf5f66c5e75f759a5c2a79ba26629f907778.tar.bz2 samba-4b29cf5f66c5e75f759a5c2a79ba26629f907778.zip |
Move kdc_get_policy helper in the lsa server where it belongs.
This was used in only 2 places, db-glue.c and the lsa server.
In db-glue.c it is awkward though, as it forces to use an unconvenient lsa
structure and conversions from time_t to nt_time only to have nt_times
converted back to time_t for actual use. This is silly.
Also the kdc-policy file was a single funciton library, that's just ridiculous.
The loadparm helper is all we need to keep the values consistent, and if we
ever end up doing something with group policies we will care about it when it's
the time. the code would have to change quite a lot anyway.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 26 | ||||
-rwxr-xr-x | source4/rpc_server/wscript_build | 2 |
2 files changed, 26 insertions, 2 deletions
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index de95b4a7fa..2ecd144bfb 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -31,7 +31,6 @@ #include "lib/util/tsort.h" #include "dsdb/common/util.h" #include "libcli/security/session.h" -#include "kdc/kdc-policy.h" #include "libcli/lsarpc/util_lsarpc.h" /* @@ -3691,6 +3690,31 @@ static NTSTATUS dcesrv_lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call, DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } +static void kdc_get_policy(struct loadparm_context *lp_ctx, + struct smb_krb5_context *smb_krb5_context, + struct lsa_DomainInfoKerberos *k) +{ + time_t svc_tkt_lifetime; + time_t usr_tkt_lifetime; + time_t renewal_lifetime; + + /* These should be set and stored via Group Policy, but until then, some defaults are in order */ + + /* Our KDC always re-validates the client */ + k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT; + + lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime, + &usr_tkt_lifetime, &renewal_lifetime); + + unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime); + unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime); + unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime); + if (smb_krb5_context) { + unix_to_nt_time(&k->clock_skew, + krb5_get_max_time_skew(smb_krb5_context->krb5_context)); + } + k->reserved = 0; +} /* lsa_QueryDomainInformationPolicy */ diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build index ffdee2394a..c684c05ca8 100755 --- a/source4/rpc_server/wscript_build +++ b/source4/rpc_server/wscript_build @@ -93,7 +93,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc', autoproto='lsa/proto.h', subsystem='dcerpc_server', init_function='dcerpc_server_lsa_init', - deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security kdc-policy UTIL_LSARPC' + deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security UTIL_LSARPC' ) |