diff options
-rw-r--r-- | source4/kdc/db-glue.c | 17 | ||||
-rw-r--r-- | source4/kdc/kdc-policy.h | 25 | ||||
-rw-r--r-- | source4/kdc/policy.c | 52 | ||||
-rw-r--r-- | source4/kdc/samba_kdc.h | 8 | ||||
-rwxr-xr-x[-rw-r--r--] | source4/kdc/wscript_build | 10 | ||||
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 26 | ||||
-rwxr-xr-x | source4/rpc_server/wscript_build | 2 |
7 files changed, 44 insertions, 96 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 95a524d605..7bb2db2fb0 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -35,7 +35,6 @@ #include <hdb.h> #include "kdc/samba_kdc.h" #include "kdc/kdc-glue.h" -#include "kdc/kdc-policy.h" #include "kdc/db-glue.h" #define SAMBA_KVNO_GET_KRBTGT(kvno) \ @@ -784,12 +783,12 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, } if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) { - *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime); + *entry_ex->entry.max_life = kdc_db_ctx->policy.svc_tkt_lifetime; } else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) { - *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime); + *entry_ex->entry.max_life = kdc_db_ctx->policy.usr_tkt_lifetime; } else { - *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime), - nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime)); + *entry_ex->entry.max_life = MIN(kdc_db_ctx->policy.svc_tkt_lifetime, + kdc_db_ctx->policy.usr_tkt_lifetime); } entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life)); @@ -798,7 +797,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, goto out; } - *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime); + *entry_ex->entry.max_renew = kdc_db_ctx->policy.renewal_lifetime; entry_ex->entry.generation = NULL; @@ -1881,7 +1880,11 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte kdc_db_ctx->ev_ctx = base_ctx->ev_ctx; kdc_db_ctx->lp_ctx = base_ctx->lp_ctx; - kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy); + /* get default kdc policy */ + lpcfg_default_kdc_policy(base_ctx->lp_ctx, + &kdc_db_ctx->policy.svc_tkt_lifetime, + &kdc_db_ctx->policy.usr_tkt_lifetime, + &kdc_db_ctx->policy.renewal_lifetime); session_info = system_session(kdc_db_ctx->lp_ctx); if (session_info == NULL) { diff --git a/source4/kdc/kdc-policy.h b/source4/kdc/kdc-policy.h deleted file mode 100644 index 01e9372596..0000000000 --- a/source4/kdc/kdc-policy.h +++ /dev/null @@ -1,25 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - KDC Policy - - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -struct lsa_DomainInfoKerberos; -struct loadparm_context; -struct smb_krb5_context; -#include "kdc/kdc-policy-proto.h" diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c deleted file mode 100644 index 4109cb4c85..0000000000 --- a/source4/kdc/policy.c +++ /dev/null @@ -1,52 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - KDC Policy - - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "system/kerberos.h" -#include "auth/kerberos/kerberos.h" -#include "param/param.h" -#include "kdc/kdc-policy.h" - -void kdc_get_policy(struct loadparm_context *lp_ctx, - struct smb_krb5_context *smb_krb5_context, - struct lsa_DomainInfoKerberos *k) -{ - time_t svc_tkt_lifetime; - time_t usr_tkt_lifetime; - time_t renewal_lifetime; - - /* These should be set and stored via Group Policy, but until then, some defaults are in order */ - - /* Our KDC always re-validates the client */ - k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT; - - lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime, - &usr_tkt_lifetime, &renewal_lifetime); - - unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime); - unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime); - unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime); - if (smb_krb5_context) { - unix_to_nt_time(&k->clock_skew, - krb5_get_max_time_skew(smb_krb5_context->krb5_context)); - } - k->reserved = 0; -} diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index 1c3bb1687b..607b436d16 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -24,6 +24,12 @@ #ifndef _SAMBA_KDC_H_ #define _SAMBA_KDC_H_ +struct samba_kdc_policy { + time_t svc_tkt_lifetime; + time_t usr_tkt_lifetime; + time_t renewal_lifetime; +}; + struct samba_kdc_base_context { struct tevent_context *ev_ctx; struct loadparm_context *lp_ctx; @@ -39,7 +45,7 @@ struct samba_kdc_db_context { bool rodc; unsigned int my_krbtgt_number; struct ldb_dn *krbtgt_dn; - struct lsa_DomainInfoKerberos policy; + struct samba_kdc_policy policy; }; struct samba_kdc_entry { diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index 22eee12c8b..a5668188d5 100644..100755 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -49,19 +49,11 @@ bld.SAMBA_LIBRARY('pac', bld.SAMBA_LIBRARY('db-glue', source='db-glue.c', - deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err kdc-policy', + deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err', private_library=True, includes='../heimdal/kdc', ) -bld.SAMBA_LIBRARY('kdc-policy', - source='policy.c', - deps='samba-hostconfig authkrb5', - private_library=True, - autoproto = 'kdc-policy-proto.h' - ) - - bld.SAMBA_SUBSYSTEM('MIT_SAMBA', source='mit_samba.c', deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue PAC_GLUE samba-hostconfig com_err' diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index de95b4a7fa..2ecd144bfb 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -31,7 +31,6 @@ #include "lib/util/tsort.h" #include "dsdb/common/util.h" #include "libcli/security/session.h" -#include "kdc/kdc-policy.h" #include "libcli/lsarpc/util_lsarpc.h" /* @@ -3691,6 +3690,31 @@ static NTSTATUS dcesrv_lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call, DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR); } +static void kdc_get_policy(struct loadparm_context *lp_ctx, + struct smb_krb5_context *smb_krb5_context, + struct lsa_DomainInfoKerberos *k) +{ + time_t svc_tkt_lifetime; + time_t usr_tkt_lifetime; + time_t renewal_lifetime; + + /* These should be set and stored via Group Policy, but until then, some defaults are in order */ + + /* Our KDC always re-validates the client */ + k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT; + + lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime, + &usr_tkt_lifetime, &renewal_lifetime); + + unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime); + unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime); + unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime); + if (smb_krb5_context) { + unix_to_nt_time(&k->clock_skew, + krb5_get_max_time_skew(smb_krb5_context->krb5_context)); + } + k->reserved = 0; +} /* lsa_QueryDomainInformationPolicy */ diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build index ffdee2394a..c684c05ca8 100755 --- a/source4/rpc_server/wscript_build +++ b/source4/rpc_server/wscript_build @@ -93,7 +93,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc', autoproto='lsa/proto.h', subsystem='dcerpc_server', init_function='dcerpc_server_lsa_init', - deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security kdc-policy UTIL_LSARPC' + deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security UTIL_LSARPC' ) |