summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/kdc/hdb-samba4.c15
-rw-r--r--source4/kdc/hdb-samba4.h8
-rw-r--r--source4/kdc/kdc.c15
-rw-r--r--source4/kdc/kdc.h1
-rw-r--r--source4/kdc/kpasswdd.c12
-rw-r--r--source4/setup/secrets_dc.ldif17
6 files changed, 39 insertions, 29 deletions
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index f5e2f59b56..1a0e93f7ce 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1563,8 +1563,14 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg)
{
NTSTATUS nt_status;
+ void *ptr;
+ struct hdb_samba4_context *hdb_samba4_context;
+ if (sscanf(arg, "&%p", &ptr) != 1) {
+ return EINVAL;
+ }
+ hdb_samba4_context = talloc_get_type_abort(ptr, struct hdb_samba4_context);
/* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */
- nt_status = hdb_samba4_create_kdc(hdb_samba4_mem_ctx, hdb_samba4_ev_ctx, hdb_samba4_lp_ctx,
+ nt_status = hdb_samba4_create_kdc(hdb_samba4_context, hdb_samba4_context->ev_ctx, hdb_samba4_context->lp_ctx,
context, db);
if (NT_STATUS_IS_OK(nt_status)) {
@@ -1574,9 +1580,12 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db,
}
/* Only used in the hdb-backed keytab code
- * for a keytab of 'samba4:', to find
+ * for a keytab of 'samba4&<address>', to find
* kpasswd's key in the main DB, and to
- * copy all the keys into a file (libnet_keytab_export) */
+ * copy all the keys into a file (libnet_keytab_export)
+ *
+ * The <address> is the string form of a pointer to a talloced struct hdb_samba_context
+ */
struct hdb_method hdb_samba4 = {
.interface_version = HDB_INTERFACE_VERSION,
.prefix = "samba4",
diff --git a/source4/kdc/hdb-samba4.h b/source4/kdc/hdb-samba4.h
index 3a377ddf0b..0b39fdfb10 100644
--- a/source4/kdc/hdb-samba4.h
+++ b/source4/kdc/hdb-samba4.h
@@ -21,8 +21,12 @@
*/
extern TALLOC_CTX *hdb_samba4_mem_ctx;
-extern struct tevent_context *hdb_samba4_ev_ctx;
-extern struct loadparm_context *hdb_samba4_lp_ctx;
+
+struct hdb_samba4_context {
+ struct tevent_context *ev_ctx;
+ struct loadparm_context *lp_ctx;
+};
+
extern struct hdb_method hdb_samba4;
struct hdb_samba4_private {
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 28d8da9d9f..746781f02d 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -729,15 +729,20 @@ static void kdc_task_init(struct task_server *task)
kdc->smb_krb5_context->krb5_context,
&kdc->config->db[0]);
if (!NT_STATUS_IS_OK(status)) {
- task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
+ task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed");
return;
}
- /* Register hdb-samba4 hooks */
+ /* Register hdb-samba4 hooks for use as a keytab */
- hdb_samba4_mem_ctx = kdc->smb_krb5_context;
- hdb_samba4_ev_ctx = task->event_ctx;
- hdb_samba4_lp_ctx = task->lp_ctx;
+ kdc->hdb_samba4_context = talloc(kdc, struct hdb_samba4_context);
+ if (!kdc->hdb_samba4_context) {
+ task_server_terminate(task, "kdc: out of memory");
+ return;
+ }
+
+ kdc->hdb_samba4_context->ev_ctx = task->event_ctx;
+ kdc->hdb_samba4_context->lp_ctx = task->lp_ctx;
ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "hdb",
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index a2bf412f2a..e8511d95eb 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -47,6 +47,7 @@ struct kdc_server {
struct task_server *task;
krb5_kdc_configuration *config;
struct smb_krb5_context *smb_krb5_context;
+ struct hdb_samba4_context *hdb_samba4_context;
};
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 8f2cb68129..3a39348578 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -447,7 +447,9 @@ bool kpasswdd_process(struct kdc_server *kdc,
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-
+
+ char *keytab_name;
+
if (!tmp_ctx) {
return false;
}
@@ -489,8 +491,12 @@ bool kpasswdd_process(struct kdc_server *kdc,
* we already have, rather than a new context */
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
- nt_status = cli_credentials_set_stored_principal(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, "kadmin/changepw");
- if (!NT_STATUS_IS_OK(nt_status)) {
+
+ keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->hdb_samba4_context);
+
+ cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
+ ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
+ if (ret != 0) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif
index 8ae5578e6b..b8251eece5 100644
--- a/source4/setup/secrets_dc.ldif
+++ b/source4/setup/secrets_dc.ldif
@@ -11,22 +11,7 @@ msDS-KeyVersionNumber: 1
objectSid: ${DOMAINSID}
privateKeytab: ${SECRETS_KEYTAB}
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
-dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
-objectClass: top
-objectClass: secret
-objectClass: kerberosSecret
-flatname: ${DOMAIN}
-realm: ${REALM}
-sAMAccountName: krbtgt
-objectSid: ${DOMAINSID}
-servicePrincipalName: kadmin/changepw
-krb5Keytab: HDB:samba4:${SAM_LDB}:
-#The trailing : here is a HACK, but it matches the Heimdal format.
-
-# A hook from our credentials system into HDB, as we must be on a KDC,
-# we can look directly into the database.
+#Update a keytab for the external DNS server to use
dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
objectClass: top
objectClass: secret