summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/kdc/db-glue.c17
-rw-r--r--source4/kdc/kdc-policy.h25
-rw-r--r--source4/kdc/policy.c52
-rw-r--r--source4/kdc/samba_kdc.h8
-rwxr-xr-x[-rw-r--r--]source4/kdc/wscript_build10
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c26
-rwxr-xr-xsource4/rpc_server/wscript_build2
7 files changed, 44 insertions, 96 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 95a524d605..7bb2db2fb0 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -35,7 +35,6 @@
#include <hdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/kdc-glue.h"
-#include "kdc/kdc-policy.h"
#include "kdc/db-glue.h"
#define SAMBA_KVNO_GET_KRBTGT(kvno) \
@@ -784,12 +783,12 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
- *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime);
+ *entry_ex->entry.max_life = kdc_db_ctx->policy.svc_tkt_lifetime;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
- *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime);
+ *entry_ex->entry.max_life = kdc_db_ctx->policy.usr_tkt_lifetime;
} else {
- *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime),
- nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime));
+ *entry_ex->entry.max_life = MIN(kdc_db_ctx->policy.svc_tkt_lifetime,
+ kdc_db_ctx->policy.usr_tkt_lifetime);
}
entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
@@ -798,7 +797,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
goto out;
}
- *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime);
+ *entry_ex->entry.max_renew = kdc_db_ctx->policy.renewal_lifetime;
entry_ex->entry.generation = NULL;
@@ -1881,7 +1880,11 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
- kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy);
+ /* get default kdc policy */
+ lpcfg_default_kdc_policy(base_ctx->lp_ctx,
+ &kdc_db_ctx->policy.svc_tkt_lifetime,
+ &kdc_db_ctx->policy.usr_tkt_lifetime,
+ &kdc_db_ctx->policy.renewal_lifetime);
session_info = system_session(kdc_db_ctx->lp_ctx);
if (session_info == NULL) {
diff --git a/source4/kdc/kdc-policy.h b/source4/kdc/kdc-policy.h
deleted file mode 100644
index 01e9372596..0000000000
--- a/source4/kdc/kdc-policy.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- KDC Policy
-
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-struct lsa_DomainInfoKerberos;
-struct loadparm_context;
-struct smb_krb5_context;
-#include "kdc/kdc-policy-proto.h"
diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c
deleted file mode 100644
index 4109cb4c85..0000000000
--- a/source4/kdc/policy.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- KDC Policy
-
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "param/param.h"
-#include "kdc/kdc-policy.h"
-
-void kdc_get_policy(struct loadparm_context *lp_ctx,
- struct smb_krb5_context *smb_krb5_context,
- struct lsa_DomainInfoKerberos *k)
-{
- time_t svc_tkt_lifetime;
- time_t usr_tkt_lifetime;
- time_t renewal_lifetime;
-
- /* These should be set and stored via Group Policy, but until then, some defaults are in order */
-
- /* Our KDC always re-validates the client */
- k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
-
- lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime,
- &usr_tkt_lifetime, &renewal_lifetime);
-
- unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
- unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime);
- unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime);
- if (smb_krb5_context) {
- unix_to_nt_time(&k->clock_skew,
- krb5_get_max_time_skew(smb_krb5_context->krb5_context));
- }
- k->reserved = 0;
-}
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 1c3bb1687b..607b436d16 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -24,6 +24,12 @@
#ifndef _SAMBA_KDC_H_
#define _SAMBA_KDC_H_
+struct samba_kdc_policy {
+ time_t svc_tkt_lifetime;
+ time_t usr_tkt_lifetime;
+ time_t renewal_lifetime;
+};
+
struct samba_kdc_base_context {
struct tevent_context *ev_ctx;
struct loadparm_context *lp_ctx;
@@ -39,7 +45,7 @@ struct samba_kdc_db_context {
bool rodc;
unsigned int my_krbtgt_number;
struct ldb_dn *krbtgt_dn;
- struct lsa_DomainInfoKerberos policy;
+ struct samba_kdc_policy policy;
};
struct samba_kdc_entry {
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 22eee12c8b..a5668188d5 100644..100755
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -49,19 +49,11 @@ bld.SAMBA_LIBRARY('pac',
bld.SAMBA_LIBRARY('db-glue',
source='db-glue.c',
- deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err kdc-policy',
+ deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err',
private_library=True,
includes='../heimdal/kdc',
)
-bld.SAMBA_LIBRARY('kdc-policy',
- source='policy.c',
- deps='samba-hostconfig authkrb5',
- private_library=True,
- autoproto = 'kdc-policy-proto.h'
- )
-
-
bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
source='mit_samba.c',
deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue PAC_GLUE samba-hostconfig com_err'
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index de95b4a7fa..2ecd144bfb 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -31,7 +31,6 @@
#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "libcli/security/session.h"
-#include "kdc/kdc-policy.h"
#include "libcli/lsarpc/util_lsarpc.h"
/*
@@ -3691,6 +3690,31 @@ static NTSTATUS dcesrv_lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call,
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
+static void kdc_get_policy(struct loadparm_context *lp_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ struct lsa_DomainInfoKerberos *k)
+{
+ time_t svc_tkt_lifetime;
+ time_t usr_tkt_lifetime;
+ time_t renewal_lifetime;
+
+ /* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+ /* Our KDC always re-validates the client */
+ k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+ lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime,
+ &usr_tkt_lifetime, &renewal_lifetime);
+
+ unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
+ unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime);
+ unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime);
+ if (smb_krb5_context) {
+ unix_to_nt_time(&k->clock_skew,
+ krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+ }
+ k->reserved = 0;
+}
/*
lsa_QueryDomainInformationPolicy
*/
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index ffdee2394a..c684c05ca8 100755
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -93,7 +93,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc',
autoproto='lsa/proto.h',
subsystem='dcerpc_server',
init_function='dcerpc_server_lsa_init',
- deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security kdc-policy UTIL_LSARPC'
+ deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security UTIL_LSARPC'
)