diff options
-rw-r--r-- | source4/kdc/hdb-ldb.c | 96 |
1 files changed, 70 insertions, 26 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index 7635501064..4100511a89 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -79,6 +79,17 @@ static const char * const krb5_attrs[] = { NULL }; +const char *cross_ref_attrs[] = { + "nCName", + NULL +}; + +const char *realm_attrs[] = { + "dnsDomain", + "maxPwdAge", + NULL +}; + static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val) { const char *tmp; @@ -562,17 +573,6 @@ static krb5_error_code LDB_lookup_realm(krb5_context context, struct ldb_context struct ldb_message **cross_ref_msg; struct ldb_message **msg; - const char *cross_ref_attrs[] = { - "nCName", - NULL - }; - - const char *realm_attrs[] = { - "dnsDomain", - "maxPwdAge", - NULL - }; - cross_ref_filter = talloc_asprintf(mem_ctx, "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))", realm, realm); @@ -752,19 +752,7 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags, return ENOMEM; } - realm = krb5_principal_get_realm(context, principal); - - ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, - mem_ctx, realm, &realm_msg); - if (ret != 0) { - krb5_warnx(context, "LDB_fetch: could not find realm"); - talloc_free(mem_ctx); - return HDB_ERR_NOENTRY; - } - - realm_dn = realm_msg[0]->dn; - - /* Cludge, cludge cludge. If the realm part of krbtgt/realm, + /* Cludge, cludge cludge. If the realm part of krbtgt/realm, * is in our db, then direct the caller at our primary * krgtgt */ @@ -791,13 +779,56 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags, return ENOMEM; } ldb_ent_type = HDB_LDB_ENT_TYPE_KRBTGT; + break; } else { ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER; + break; } - break; case HDB_ENT_TYPE_CLIENT: + { + int ldb_ret; + NTSTATUS nt_status; + struct ldb_dn *user_dn, *domain_dn; + char *principal_string; ldb_ent_type = HDB_LDB_ENT_TYPE_CLIENT; - break; + + ret = krb5_unparse_name(context, principal, &principal_string); + + if (ret != 0) { + talloc_free(mem_ctx); + return ret; + } + + nt_status = crack_user_principal_name((struct ldb_context *)db->hdb_db, + mem_ctx, principal_string, + &user_dn, &domain_dn); + free(principal_string); + + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return HDB_ERR_NOENTRY; + } + + ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db, + mem_ctx, user_dn, &msg, krb5_attrs); + + if (ldb_ret != 1) { + return HDB_ERR_NOENTRY; + } + + ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db, + mem_ctx, domain_dn, &realm_msg, realm_attrs); + + if (ldb_ret != 1) { + return HDB_ERR_NOENTRY; + } + + ret = LDB_message2entry(context, db, mem_ctx, + principal, ldb_ent_type, + realm_msg[0], msg[0], entry); + talloc_free(mem_ctx); + return ret; + } case HDB_ENT_TYPE_ANY: ldb_ent_type = HDB_LDB_ENT_TYPE_ANY; break; @@ -807,6 +838,19 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags, return HDB_ERR_NOENTRY; } + + realm = krb5_principal_get_realm(context, principal); + + ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, + mem_ctx, realm, &realm_msg); + if (ret != 0) { + krb5_warnx(context, "LDB_fetch: could not find realm"); + talloc_free(mem_ctx); + return HDB_ERR_NOENTRY; + } + + realm_dn = realm_msg[0]->dn; + ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, mem_ctx, principal, ldb_ent_type, realm_dn, &msg); |