diff options
Diffstat (limited to 'source4/kdc/pac-glue.c')
-rw-r--r-- | source4/kdc/pac-glue.c | 58 |
1 files changed, 56 insertions, 2 deletions
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 85121d40ef..a311777f2b 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -182,8 +182,9 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx, return nt_status; } -void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data, - NTSTATUS nt_status) +/* this function allocates 'data' using malloc. + * The caller is responsible for freeing it */ +void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) { PA_DATA pa; unsigned char *buf; @@ -215,3 +216,56 @@ void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data, return; } +/* function to map policy errors */ +krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status) +{ + krb5_error_code ret; + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE)) + ret = KRB5KDC_ERR_KEY_EXPIRED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) + ret = KRB5KDC_ERR_KEY_EXPIRED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED)) + ret = KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) + ret = KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS)) + ret = KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT)) + ret = KRB5KDC_ERR_CLIENT_REVOKED; + else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION)) + ret = KRB5KDC_ERR_POLICY; + else + ret = KRB5KDC_ERR_POLICY; + + return ret; +} + +/* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c + * for consistency */ +NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry, + const char *client_name, + const char *workstation, + bool password_change) +{ + TALLOC_CTX *tmp_ctx; + NTSTATUS nt_status; + + tmp_ctx = talloc_named(NULL, 0, "samba_kdc_check_client_access"); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + /* we allow all kinds of trusts here */ + nt_status = authsam_account_ok(tmp_ctx, + kdc_entry->kdc_db_ctx->samdb, + MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | + MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, + kdc_entry->realm_dn, kdc_entry->msg, + workstation, client_name, + true, password_change); + + talloc_free(tmp_ctx); + return nt_status; +} + |