summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/hdb-ldb.c2
-rw-r--r--source4/kdc/kdc.c6
-rw-r--r--source4/kdc/pac-glue.c66
3 files changed, 53 insertions, 21 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index bc5a45ae2b..d983b77b40 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -510,7 +510,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
entry_ex->entry.valid_start = NULL;
- acct_expiry = samdb_result_account_expires(msg, 0);
+ acct_expiry = samdb_result_account_expires(msg);
if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
entry_ex->entry.valid_end = NULL;
} else {
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 92a5dc26e0..72b5bb14a9 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -639,9 +639,9 @@ static void kdc_task_init(struct task_server *task)
}
/* Registar WinDC hooks */
- ret = _krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
- PLUGIN_TYPE_DATA, "windc",
- &windc_plugin_table);
+ ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
+ PLUGIN_TYPE_DATA, "windc",
+ &windc_plugin_table);
if(ret) {
task_server_terminate(task, "kdc: failed to register hdb keytab");
return;
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 66f36af870..1c68d4c37d 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -220,13 +220,47 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context,
return ret;
}
+static void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data,
+ NTSTATUS nt_status)
+{
+ PA_DATA pa;
+ unsigned char *buf;
+ size_t len;
+ krb5_error_code ret = 0;
+
+ if (!e_data)
+ return;
+
+ pa.padata_type = KRB5_PADATA_PW_SALT;
+ pa.padata_value.length = 12;
+ pa.padata_value.data = malloc(pa.padata_value.length);
+ if (!pa.padata_value.data) {
+ e_data->length = 0;
+ e_data->data = NULL;
+ return;
+ }
+
+ SIVAL(pa.padata_value.data, 0, NT_STATUS_V(nt_status));
+ SIVAL(pa.padata_value.data, 4, 0);
+ SIVAL(pa.padata_value.data, 8, 1);
+
+ ASN1_MALLOC_ENCODE(PA_DATA, buf, len, &pa, &len, ret);
+ free(pa.padata_value.data);
+
+ e_data->data = buf;
+ e_data->length = len;
+
+ return;
+}
+
/* Given an hdb entry (and in particular it's private member), consult
* the account_ok routine in auth/auth_sam.c for consistancy */
krb5_error_code samba_kdc_check_client_access(void *priv,
krb5_context context, hdb_entry_ex *entry_ex,
- KDC_REQ *req)
+ KDC_REQ *req,
+ krb5_data *e_data)
{
krb5_error_code ret;
NTSTATUS nt_status;
@@ -274,30 +308,28 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
name);
free(name);
- /* TODO: Need a more complete mapping of NTSTATUS to krb5kdc errors */
-
- /* TODO: Also need to add the appropriate e-data struct of type
- * PA-PW-SALT (3) that includes the NT_STATUS code, which gives Windows
- * the information it needs to display the appropriate dialog. */
+ if (NT_STATUS_IS_OK(nt_status))
+ return 0;
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
- return KRB5KDC_ERR_KEY_EXPIRED;
+ ret = KRB5KDC_ERR_KEY_EXPIRED;
else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
- return KRB5KDC_ERR_KEY_EXPIRED;
+ ret = KRB5KDC_ERR_KEY_EXPIRED;
else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
- return KRB5KDC_ERR_CLIENT_REVOKED;
+ ret = KRB5KDC_ERR_CLIENT_REVOKED;
else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
- return KRB5KDC_ERR_CLIENT_REVOKED;
+ ret = KRB5KDC_ERR_CLIENT_REVOKED;
else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
- return KRB5KDC_ERR_CLIENT_REVOKED;
+ ret = KRB5KDC_ERR_CLIENT_REVOKED;
else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
- return KRB5KDC_ERR_CLIENT_REVOKED;
+ ret = KRB5KDC_ERR_CLIENT_REVOKED;
else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
- return KRB5KDC_ERR_POLICY;
- else if (!NT_STATUS_IS_OK(nt_status)) {
- return KRB5KDC_ERR_POLICY;
- }
+ ret = KRB5KDC_ERR_POLICY;
+ else
+ ret = KRB5KDC_ERR_POLICY;
- return 0;
+ samba_kdc_build_edata_reply(tmp_ctx, e_data, nt_status);
+
+ return ret;
}