summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2011-09-29 05:23:38 +1000
committerAndrew Tridgell <tridge@samba.org>2011-10-04 15:08:57 +1100
commitaee896ad98edf80a62e586beabffeea02e004585 (patch)
treeb954a7a4622569c98f9abf986207e6f05eb5452f /source4
parent5717da34b92cfb9385d9275df5b48c70254ce78f (diff)
downloadsamba-aee896ad98edf80a62e586beabffeea02e004585.tar.gz
samba-aee896ad98edf80a62e586beabffeea02e004585.tar.bz2
samba-aee896ad98edf80a62e586beabffeea02e004585.zip
s4-kdc: don't look at global catalog NCs in the kdc
the kdc should not be looking for users in GC partial replicas, as these users do not have all of the attributes needed for the KDC to operate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/kdc/db-glue.c23
-rw-r--r--source4/kdc/kpasswdd.c16
2 files changed, 23 insertions, 16 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 2ed32192f8..6d13584694 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1042,9 +1042,11 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
return ret;
}
- lret = ldb_search(ldb_ctx, mem_ctx, &res,
- ldb_get_default_basedn(ldb_ctx),
- LDB_SCOPE_SUBTREE, attrs, "%s", filter);
+ lret = dsdb_search(ldb_ctx, mem_ctx, &res,
+ ldb_get_default_basedn(ldb_ctx),
+ LDB_SCOPE_SUBTREE, attrs,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ "%s", filter);
if (lret != LDB_SUCCESS) {
DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
return HDB_ERR_NOENTRY;
@@ -1149,7 +1151,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
&msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
- krbtgt_attrs, 0,
+ krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(objectClass=user)");
} else {
/* We need to look up an RODC krbtgt (perhaps
@@ -1158,7 +1160,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
&msg, realm_dn, LDB_SCOPE_SUBTREE,
krbtgt_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN,
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number));
}
@@ -1517,9 +1519,10 @@ krb5_error_code samba_kdc_firstkey(krb5_context context,
return ret;
}
- lret = ldb_search(ldb_ctx, priv, &res,
- priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
- "(objectClass=user)");
+ lret = dsdb_search(ldb_ctx, priv, &res,
+ priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ "(objectClass=user)");
if (lret != LDB_SUCCESS) {
TALLOC_FREE(priv);
@@ -1873,7 +1876,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx,
&msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
secondary_keytab,
- 0,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=*))");
if (ldb_ret != LDB_SUCCESS) {
DEBUG(1, ("hdb_samba4_create: Cannot read krbtgt account %s in KDC backend to get msDS-SecondaryKrbTgtNumber: %s: %s\n",
@@ -1900,7 +1903,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
ldb_get_default_basedn(kdc_db_ctx->samdb),
LDB_SCOPE_SUBTREE,
krbtgt_attrs,
- 0,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)(samAccountName=krbtgt))");
if (ldb_ret != LDB_SUCCESS) {
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 478dcaf573..0763e92498 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -30,6 +30,7 @@
#include "libcli/security/security.h"
#include "param/param.h"
#include "kdc/kdc-glue.h"
+#include "dsdb/common/util.h"
/* Return true if there is a valid error packet formed in the error_blob */
static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
@@ -160,24 +161,27 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
struct samr_Password *oldLmHash, *oldNtHash;
struct ldb_context *samdb;
const char * const attrs[] = { "dBCSPwd", "unicodePwd", NULL };
- struct ldb_message **res;
+ struct ldb_message *msg;
int ret;
/* Fetch the old hashes to get the old password in order to perform
* the password change operation. Naturally it would be much better to
* have a password hash from an authentication around but this doesn't
* seem to be the case here. */
- ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs,
- "(&(objectClass=user)(sAMAccountName=%s))",
- session_info->info->account_name);
- if (ret != 1) {
+ ret = dsdb_search_one(kdc->samdb, mem_ctx, &msg, ldb_get_default_basedn(kdc->samdb),
+ LDB_SCOPE_SUBTREE,
+ attrs,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ "(&(objectClass=user)(sAMAccountName=%s))",
+ session_info->info->account_name);
+ if (ret != LDB_SUCCESS) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
"No such user when changing password",
reply);
}
- status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, res[0],
+ status = samdb_result_passwords(mem_ctx, kdc->task->lp_ctx, msg,
&oldLmHash, &oldNtHash);
if (!NT_STATUS_IS_OK(status)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,