summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/config.mk3
-rw-r--r--source4/kdc/hdb-samba4.c239
-rw-r--r--source4/kdc/hdb-samba4.h8
-rw-r--r--source4/kdc/kdc.c458
-rw-r--r--source4/kdc/kdc.h12
-rw-r--r--source4/kdc/kpasswdd.c216
-rw-r--r--source4/kdc/pac-glue.c30
-rw-r--r--source4/kdc/pac-glue.h6
8 files changed, 450 insertions, 522 deletions
diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk
index 7a99857248..a9d01585f0 100644
--- a/source4/kdc/config.mk
+++ b/source4/kdc/config.mk
@@ -6,7 +6,8 @@
INIT_FUNCTION = server_service_kdc_init
SUBSYSTEM = service
PRIVATE_DEPENDENCIES = \
- HEIMDAL_KDC HDB_SAMBA4 PAC_GLUE LIBSAMBA-HOSTCONFIG
+ HEIMDAL_KDC HDB_SAMBA4 PAC_GLUE LIBSAMBA-HOSTCONFIG \
+ LIBTSOCKET
# End SUBSYSTEM KDC
#######################
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 2418e5c63f..2f3c30c283 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -53,13 +53,13 @@
#include "kdc/kdc.h"
#include "../lib/crypto/md4.h"
-enum hdb_samba4_ent_type
-{ HDB_SAMBA4_ENT_TYPE_CLIENT, HDB_SAMBA4_ENT_TYPE_SERVER,
+enum hdb_samba4_ent_type
+{ HDB_SAMBA4_ENT_TYPE_CLIENT, HDB_SAMBA4_ENT_TYPE_SERVER,
HDB_SAMBA4_ENT_TYPE_KRBTGT, HDB_SAMBA4_ENT_TYPE_TRUST, HDB_SAMBA4_ENT_TYPE_ANY };
enum trust_direction {
UNKNOWN = 0,
- INBOUND = LSA_TRUST_DIRECTION_INBOUND,
+ INBOUND = LSA_TRUST_DIRECTION_INBOUND,
OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
};
@@ -93,7 +93,7 @@ static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, con
return timegm(&tm);
}
-static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_samba4_ent_type ent_type)
+static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_samba4_ent_type ent_type)
{
HDBFlags flags = int2HDBFlags(0);
@@ -115,7 +115,7 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h
}
flags.invalid = 0;
}
-
+
if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
if (ent_type == HDB_SAMBA4_ENT_TYPE_CLIENT || ent_type == HDB_SAMBA4_ENT_TYPE_ANY) {
flags.client = 1;
@@ -166,7 +166,7 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h
}
if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) {
flags.ok_as_delegate = 1;
- }
+ }
if (!(userAccountControl & UF_NOT_DELEGATED)) {
flags.forwardable = 1;
flags.proxiable = 1;
@@ -334,7 +334,7 @@ static krb5_error_code hdb_samba4_message2entry_keys(krb5_context context,
ret = krb5_keyblock_init(context,
ENCTYPE_ARCFOUR_HMAC,
- hash->hash, sizeof(hash->hash),
+ hash->hash, sizeof(hash->hash),
&key.key);
if (ret) {
goto out;
@@ -490,8 +490,8 @@ out:
/*
* Construct an hdb_entry from a directory entry.
*/
-static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
- struct loadparm_context *lp_ctx,
+static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
TALLOC_CTX *mem_ctx, krb5_const_principal principal,
enum hdb_samba4_ent_type ent_type,
struct ldb_dn *realm_dn,
@@ -514,7 +514,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
computer_val.data = discard_const_p(uint8_t,"computer");
computer_val.length = strlen((const char *)computer_val.data);
-
+
if (!samAccountName) {
ret = ENOENT;
krb5_set_error_message(context, ret, "hdb_samba4_message2entry: no samAccountName present");
@@ -522,7 +522,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
}
objectclasses = ldb_msg_find_element(msg, "objectClass");
-
+
if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
is_computer = TRUE;
}
@@ -534,7 +534,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
krb5_set_error_message(context, ret, "talloc_strdup: out of memory");
goto out;
}
-
+
p = talloc(mem_ctx, struct hdb_samba4_private);
if (!p) {
ret = ENOMEM;
@@ -557,7 +557,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
-
+
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
if (ent_type == HDB_SAMBA4_ENT_TYPE_ANY && principal == NULL) {
krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL);
@@ -573,7 +573,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
* the client-specified realm. This code attempts to
* replace the client principal's realm with the one
* we determine from our records */
-
+
/* this has to be with malloc() */
krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
}
@@ -598,19 +598,19 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
* of the Heimdal KDC. They are stored in a the traditional
* DB for audit purposes, and still form part of the structure
* we must return */
-
+
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
/* use '???' */
entry_ex->entry.created_by.principal = NULL;
-
+
entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
if (entry_ex->entry.modified_by == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
-
+
/* use 'whenChanged' */
entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
/* use '???' */
@@ -661,7 +661,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
} else {
NTTIME must_change_time
- = samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx,
+ = samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx,
realm_dn, msg);
if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
entry_ex->entry.pw_end = NULL;
@@ -722,7 +722,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db,
p->msg = talloc_steal(p, msg);
p->samdb = (struct ldb_context *)db->hdb_db;
-
+
out:
if (ret != 0) {
/* This doesn't free ent itself, that is for the eventual caller to do */
@@ -737,7 +737,7 @@ out:
/*
* Construct an hdb_entry from a directory entry.
*/
-static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB *db,
+static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB *db,
struct loadparm_context *lp_ctx,
TALLOC_CTX *mem_ctx, krb5_const_principal principal,
enum trust_direction direction,
@@ -745,7 +745,7 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB
struct ldb_message *msg,
hdb_entry_ex *entry_ex)
{
-
+
const char *dnsdomain;
char *realm;
DATA_BLOB password_utf16;
@@ -843,16 +843,16 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB
ret = ENOMEM;
goto out;
}
-
+
ret = krb5_keyblock_init(context,
ENCTYPE_ARCFOUR_HMAC,
- password_hash.hash, sizeof(password_hash.hash),
+ password_hash.hash, sizeof(password_hash.hash),
&key.key);
-
+
entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
entry_ex->entry.keys.len++;
}
-
+
entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
ret = copy_Principal(principal, entry_ex->entry.principal);
@@ -860,13 +860,13 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB
krb5_clear_error_message(context);
goto out;
}
-
+
/* While we have copied the client principal, tests
* show that Win2k3 returns the 'corrected' realm, not
* the client-specified realm. This code attempts to
* replace the client principal's realm with the one
* we determine from our records */
-
+
krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
entry_ex->entry.flags = int2HDBFlags(0);
entry_ex->entry.flags.immutable = 1;
@@ -875,7 +875,7 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB
entry_ex->entry.flags.require_preauth = 1;
entry_ex->entry.pw_end = NULL;
-
+
entry_ex->entry.max_life = NULL;
entry_ex->entry.max_renew = NULL;
@@ -902,7 +902,7 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB
p->msg = talloc_steal(p, msg);
p->samdb = (struct ldb_context *)db->hdb_db;
-
+
out:
if (ret != 0) {
/* This doesn't free ent itself, that is for the eventual caller to do */
@@ -915,7 +915,7 @@ out:
}
-static krb5_error_code hdb_samba4_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
+static krb5_error_code hdb_samba4_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
TALLOC_CTX *mem_ctx,
const char *realm,
struct ldb_dn *realm_dn,
@@ -959,7 +959,7 @@ static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags,
krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n");
krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n");
return ret;
- }
+ }
return 0;
}
@@ -984,25 +984,25 @@ static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const ch
return HDB_ERR_DB_INUSE;
}
-static krb5_error_code hdb_samba4_lookup_client(krb5_context context, HDB *db,
- struct loadparm_context *lp_ctx,
- TALLOC_CTX *mem_ctx,
+static krb5_error_code hdb_samba4_lookup_client(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
const char **attrs,
- struct ldb_dn **realm_dn,
+ struct ldb_dn **realm_dn,
struct ldb_message **msg) {
NTSTATUS nt_status;
char *principal_string;
krb5_error_code ret;
ret = krb5_unparse_name(context, principal, &principal_string);
-
+
if (ret != 0) {
return ret;
}
-
+
nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db,
- mem_ctx, principal_string, attrs,
+ mem_ctx, principal_string, attrs,
realm_dn, msg);
free(principal_string);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
@@ -1012,13 +1012,13 @@ static krb5_error_code hdb_samba4_lookup_client(krb5_context context, HDB *db,
} else if (!NT_STATUS_IS_OK(nt_status)) {
return EINVAL;
}
-
+
return ret;
}
-static krb5_error_code hdb_samba4_fetch_client(krb5_context context, HDB *db,
- struct loadparm_context *lp_ctx,
- TALLOC_CTX *mem_ctx,
+static krb5_error_code hdb_samba4_fetch_client(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
unsigned flags,
hdb_entry_ex *entry_ex) {
@@ -1026,22 +1026,22 @@ static krb5_error_code hdb_samba4_fetch_client(krb5_context context, HDB *db,
krb5_error_code ret;
struct ldb_message *msg = NULL;
- ret = hdb_samba4_lookup_client(context, db, lp_ctx,
- mem_ctx, principal, user_attrs,
+ ret = hdb_samba4_lookup_client(context, db, lp_ctx,
+ mem_ctx, principal, user_attrs,
&realm_dn, &msg);
if (ret != 0) {
return ret;
}
-
- ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
+
+ ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
principal, HDB_SAMBA4_ENT_TYPE_CLIENT,
realm_dn, msg, entry_ex);
return ret;
}
-static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
- struct loadparm_context *lp_ctx,
- TALLOC_CTX *mem_ctx,
+static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
unsigned flags,
hdb_entry_ex *entry_ex)
@@ -1062,18 +1062,18 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
if (lp_is_my_domain_or_realm(lp_ctx, principal->realm)
&& lp_is_my_domain_or_realm(lp_ctx, principal->name.name_string.val[1])) {
- /* us */
+ /* us */
/* Cludge, cludge cludge. If the realm part of krbtgt/realm,
* is in our db, then direct the caller at our primary
* krbtgt */
int lret;
char *realm_fixed;
-
- lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
+
+ lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
realm_dn, LDB_SCOPE_SUBTREE,
- &msg, krbtgt_attrs,
- "(&(objectClass=user)(samAccountName=krbtgt))");
+ &msg, krbtgt_attrs,
+ "(&(objectClass=user)(samAccountName=krbtgt))");
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!");
krb5_set_error_message(context, HDB_ERR_NOENTRY, "hdb_samba4_fetch: could not find own KRBTGT in DB!");
@@ -1083,19 +1083,19 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
krb5_set_error_message(context, HDB_ERR_NOENTRY, "hdb_samba4_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(db->hdb_db));
return HDB_ERR_NOENTRY;
}
-
+
realm_fixed = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
if (!realm_fixed) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "strupper_talloc: out of memory");
return ret;
}
-
+
ret = krb5_copy_principal(context, principal, &alloc_principal);
if (ret) {
return ret;
}
-
+
free(alloc_principal->name.name_string.val[1]);
alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
talloc_free(realm_fixed);
@@ -1106,11 +1106,11 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
}
principal = alloc_principal;
- ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
- principal, HDB_SAMBA4_ENT_TYPE_KRBTGT,
+ ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
+ principal, HDB_SAMBA4_ENT_TYPE_KRBTGT,
realm_dn, msg, entry_ex);
if (ret != 0) {
- krb5_warnx(context, "hdb_samba4_fetch: self krbtgt message2entry failed");
+ krb5_warnx(context, "hdb_samba4_fetch: self krbtgt message2entry failed");
}
return ret;
@@ -1132,35 +1132,35 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
}
/* Trusted domains are under CN=system */
-
- ret = hdb_samba4_lookup_trust(context, (struct ldb_context *)db->hdb_db,
- mem_ctx,
+
+ ret = hdb_samba4_lookup_trust(context, (struct ldb_context *)db->hdb_db,
+ mem_ctx,
realm, realm_dn, &msg);
-
+
if (ret != 0) {
krb5_warnx(context, "hdb_samba4_fetch: could not find principal in DB");
krb5_set_error_message(context, ret, "hdb_samba4_fetch: could not find principal in DB");
return ret;
}
-
- ret = hdb_samba4_trust_message2entry(context, db, lp_ctx, mem_ctx,
- principal, direction,
+
+ ret = hdb_samba4_trust_message2entry(context, db, lp_ctx, mem_ctx,
+ principal, direction,
realm_dn, msg, entry_ex);
if (ret != 0) {
- krb5_warnx(context, "hdb_samba4_fetch: trust_message2entry failed");
+ krb5_warnx(context, "hdb_samba4_fetch: trust_message2entry failed");
}
return ret;
-
+
/* we should lookup trusted domains */
return HDB_ERR_NOENTRY;
}
}
-static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
+static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
struct loadparm_context *lp_ctx,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
const char **attrs,
struct ldb_dn **realm_dn,
@@ -1174,35 +1174,35 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
NTSTATUS nt_status;
struct ldb_dn *user_dn;
char *principal_string;
-
- ret = krb5_unparse_name_flags(context, principal,
- KRB5_PRINCIPAL_UNPARSE_NO_REALM,
+
+ ret = krb5_unparse_name_flags(context, principal,
+ KRB5_PRINCIPAL_UNPARSE_NO_REALM,
&principal_string);
if (ret != 0) {
return ret;
}
-
+
/* At this point we may find the host is known to be
* in a different realm, so we should generate a
* referral instead */
nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
- mem_ctx, principal_string,
+ mem_ctx, principal_string,
&user_dn, realm_dn);
free(principal_string);
-
+
if (!NT_STATUS_IS_OK(nt_status)) {
return HDB_ERR_NOENTRY;
}
-
+
ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db,
- mem_ctx,
+ mem_ctx,
user_dn, LDB_SCOPE_BASE,
msg, attrs,
"(objectClass=*)");
if (ldb_ret != LDB_SUCCESS) {
return HDB_ERR_NOENTRY;
}
-
+
} else {
int lret;
char *filter = NULL;
@@ -1210,20 +1210,20 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
/* server as client principal case, but we must not lookup userPrincipalNames */
*realm_dn = ldb_get_default_basedn(db->hdb_db);
realm = krb5_principal_get_realm(context, principal);
-
+
/* TODO: Check if it is our realm, otherwise give referall */
-
+
ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ);
-
+
if (ret != 0) {
krb5_set_error_message(context, ret, "hdb_samba4_lookup_principal: could not parse principal");
krb5_warnx(context, "hdb_samba4_lookup_principal: could not parse principal");
return ret;
}
-
- lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
+
+ lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
*realm_dn, LDB_SCOPE_SUBTREE,
- msg, attrs, "(&(objectClass=user)(samAccountName=%s))",
+ msg, attrs, "(&(objectClass=user)(samAccountName=%s))",
ldb_binary_encode_string(mem_ctx, short_princ));
free(short_princ);
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
@@ -1231,7 +1231,7 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
return HDB_ERR_NOENTRY;
}
if (lret != LDB_SUCCESS) {
- DEBUG(3, ("Failed single search for for %s - %s\n",
+ DEBUG(3, ("Failed single search for for %s - %s\n",
filter, ldb_errstring(db->hdb_db)));
return HDB_ERR_NOENTRY;
}
@@ -1240,9 +1240,9 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
return 0;
}
-static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
+static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
struct loadparm_context *lp_ctx,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
unsigned flags,
hdb_entry_ex *entry_ex)
@@ -1251,23 +1251,23 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
struct ldb_dn *realm_dn;
struct ldb_message *msg;
- ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal,
+ ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal,
server_attrs, &realm_dn, &msg);
if (ret != 0) {
return ret;
}
- ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
+ ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
principal, HDB_SAMBA4_ENT_TYPE_SERVER,
realm_dn, msg, entry_ex);
if (ret != 0) {
- krb5_warnx(context, "hdb_samba4_fetch: message2entry failed");
+ krb5_warnx(context, "hdb_samba4_fetch: message2entry failed");
}
return ret;
}
-
-static krb5_error_code hdb_samba4_fetch(krb5_context context, HDB *db,
+
+static krb5_error_code hdb_samba4_fetch(krb5_context context, HDB *db,
krb5_const_principal principal,
unsigned flags,
hdb_entry_ex *entry_ex)
@@ -1345,9 +1345,9 @@ static krb5_error_code hdb_samba4_seq(krb5_context context, HDB *db, unsigned fl
}
if (priv->index < priv->count) {
- ret = hdb_samba4_message2entry(context, db, priv->lp_ctx,
- mem_ctx,
- NULL, HDB_SAMBA4_ENT_TYPE_ANY,
+ ret = hdb_samba4_message2entry(context, db, priv->lp_ctx,
+ mem_ctx,
+ NULL, HDB_SAMBA4_ENT_TYPE_ANY,
priv->realm_dn, priv->msgs[priv->index++], entry);
} else {
ret = HDB_ERR_NOENTRY;
@@ -1366,7 +1366,7 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign
hdb_entry_ex *entry)
{
struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db;
- struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"),
+ struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"),
struct loadparm_context);
struct hdb_samba4_seq *priv = (struct hdb_samba4_seq *)db->hdb_dbc;
char *realm;
@@ -1407,7 +1407,7 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign
talloc_free(priv);
return ret;
}
-
+
lret = ldb_search(ldb_ctx, priv, &res,
priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
"(objectClass=user)");
@@ -1449,14 +1449,14 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
/* Check if a given entry may delegate to this target principal
*
- * This is currently a very nasty hack - allowing only delegation to itself.
+ * This is currently a very nasty hack - allowing only delegation to itself.
*/
-krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
+krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db;
- struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"),
+ struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"),
struct loadparm_context);
krb5_error_code ret;
krb5_principal enterprise_prinicpal = NULL;
@@ -1468,7 +1468,7 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD
const char *delegation_check_attrs[] = {
"objectSid", NULL
};
-
+
TALLOC_CTX *mem_ctx = talloc_named(db, 0, "hdb_samba4_check_constrained_delegation");
if (!mem_ctx) {
@@ -1481,12 +1481,12 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD
/* Need to reparse the enterprise principal to find the real target */
if (target_principal->name.name_string.len != 1) {
ret = KRB5_PARSE_MALFORMED;
- krb5_set_error_message(context, ret, "hdb_samba4_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components",
- target_principal->name.name_string.len);
+ krb5_set_error_message(context, ret, "hdb_samba4_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components",
+ target_principal->name.name_string.len);
talloc_free(mem_ctx);
return ret;
}
- ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
+ ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
&enterprise_prinicpal);
if (ret) {
talloc_free(mem_ctx);
@@ -1495,7 +1495,7 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD
target_principal = enterprise_prinicpal;
}
- ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, target_principal,
+ ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, target_principal,
delegation_check_attrs, &realm_dn, &msg);
krb5_free_principal(context, enterprise_prinicpal);
@@ -1525,12 +1525,12 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD
* database. Allow a mismatch where they both refer to the same
* SID */
-krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
+krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
hdb_entry_ex *entry,
krb5_const_principal certificate_principal)
{
struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db;
- struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"),
+ struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"),
struct loadparm_context);
krb5_error_code ret;
struct ldb_dn *realm_dn;
@@ -1541,7 +1541,7 @@ krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *
const char *ms_upn_check_attrs[] = {
"objectSid", NULL
};
-
+
TALLOC_CTX *mem_ctx = talloc_named(db, 0, "hdb_samba4_check_constrained_delegation");
if (!mem_ctx) {
@@ -1550,10 +1550,10 @@ krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *
return ret;
}
- ret = hdb_samba4_lookup_client(context, db, lp_ctx,
+ ret = hdb_samba4_lookup_client(context, db, lp_ctx,
mem_ctx, certificate_principal,
ms_upn_check_attrs, &realm_dn, &msg);
-
+
if (ret != 0) {
talloc_free(mem_ctx);
return ret;
@@ -1579,8 +1579,8 @@ krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *
* (hdb_samba4_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb
* code */
-NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev_ctx,
+NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev_ctx,
struct loadparm_context *lp_ctx,
krb5_context context, struct HDB **db)
{
@@ -1602,7 +1602,7 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
* allow us to share the samdb backend context with other parts of the
* system. For now we can't as we need to override the
* credentials to set CRED_DONT_USE_KERBEROS, which would
- * break other users of the system_session */
+ * break other users of the system_session */
DEBUG(0,("FIXME: Using new system session for hdb\n"));
nt_status = auth_system_session_info(*db, lp_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1614,7 +1614,7 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
return NT_STATUS_INTERNAL_ERROR;
}
#endif
-
+
/* The idea here is very simple. Using Kerberos to
* authenticate the KDC to the LDAP server is higly likely to
* be circular.
@@ -1622,8 +1622,8 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
* In future we may set this up to use EXERNAL and SSL
* certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME
*/
-
- cli_credentials_set_kerberos_state(session_info->credentials,
+
+ cli_credentials_set_kerberos_state(session_info->credentials,
CRED_DONT_USE_KERBEROS);
/* Setup the link to LDB */
@@ -1663,6 +1663,7 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db,
NTSTATUS nt_status;
void *ptr;
struct hdb_samba4_context *hdb_samba4_context;
+
if (sscanf(arg, "&%p", &ptr) != 1) {
return EINVAL;
}
@@ -1686,6 +1687,6 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db,
*/
struct hdb_method hdb_samba4 = {
.interface_version = HDB_INTERFACE_VERSION,
- .prefix = "samba4",
+ .prefix = "samba4",
.create = hdb_samba4_create
};
diff --git a/source4/kdc/hdb-samba4.h b/source4/kdc/hdb-samba4.h
index fc2f9c1310..5f85ce188c 100644
--- a/source4/kdc/hdb-samba4.h
+++ b/source4/kdc/hdb-samba4.h
@@ -1,21 +1,21 @@
-/*
+/*
Unix SMB/CIFS implementation.
KDC structures
Copyright (C) Andrew Tridgell 2005
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 6a9df0bf02..93f1c7d6ec 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
KDC Server startup
@@ -11,12 +11,12 @@
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -42,22 +42,15 @@
#include "librpc/gen_ndr/ndr_misc.h"
-/* Disgusting hack to get a mem_ctx and lp_ctx into the hdb plugin, when
+/* Disgusting hack to get a mem_ctx and lp_ctx into the hdb plugin, when
* used as a keytab */
TALLOC_CTX *hdb_samba4_mem_ctx;
struct tevent_context *hdb_samba4_ev_ctx;
struct loadparm_context *hdb_samba4_lp_ctx;
-/* hold all the info needed to send a reply */
-struct kdc_reply {
- struct kdc_reply *next, *prev;
- struct socket_address *dest;
- DATA_BLOB packet;
-};
-
typedef bool (*kdc_process_fn_t)(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *input,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *input,
DATA_BLOB *reply,
struct tsocket_address *peer_addr,
struct tsocket_address *my_addr,
@@ -65,15 +58,11 @@ typedef bool (*kdc_process_fn_t)(struct kdc_server *kdc,
/* hold information about one kdc socket */
struct kdc_socket {
- struct socket_context *sock;
struct kdc_server *kdc;
- struct tevent_fd *fde;
-
- /* a queue of outgoing replies that have been deferred */
- struct kdc_reply *send_queue;
-
+ struct tsocket_address *local_address;
kdc_process_fn_t process;
};
+
/*
state of an open tcp connection
*/
@@ -82,152 +71,11 @@ struct kdc_tcp_connection {
struct stream_connection *conn;
/* the kdc_server the connection belongs to */
- struct kdc_server *kdc;
+ struct kdc_socket *kdc_socket;
struct packet_context *packet;
-
- kdc_process_fn_t process;
};
-/*
- handle fd send events on a KDC socket
-*/
-static void kdc_send_handler(struct kdc_socket *kdc_socket)
-{
- while (kdc_socket->send_queue) {
- struct kdc_reply *rep = kdc_socket->send_queue;
- NTSTATUS status;
- size_t sendlen;
-
- status = socket_sendto(kdc_socket->sock, &rep->packet, &sendlen,
- rep->dest);
- if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
- break;
- }
- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_BUFFER_SIZE)) {
- /* Replace with a krb err, response to big */
- }
-
- DLIST_REMOVE(kdc_socket->send_queue, rep);
- talloc_free(rep);
- }
-
- if (kdc_socket->send_queue == NULL) {
- EVENT_FD_NOT_WRITEABLE(kdc_socket->fde);
- }
-}
-
-
-/*
- handle fd recv events on a KDC socket
-*/
-static void kdc_recv_handler(struct kdc_socket *kdc_socket)
-{
- NTSTATUS status;
- TALLOC_CTX *tmp_ctx = talloc_new(kdc_socket);
- DATA_BLOB blob;
- struct kdc_reply *rep;
- DATA_BLOB reply;
- size_t nread, dsize;
- struct socket_address *src;
- struct socket_address *my_addr;
- struct tsocket_address *tsrcaddr;
- struct tsocket_address *tmyaddr;
- int ret;
-
- status = socket_pending(kdc_socket->sock, &dsize);
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(tmp_ctx);
- return;
- }
-
- blob = data_blob_talloc(tmp_ctx, NULL, dsize);
- if (blob.data == NULL) {
- /* hope this is a temporary low memory condition */
- talloc_free(tmp_ctx);
- return;
- }
-
- status = socket_recvfrom(kdc_socket->sock, blob.data, blob.length, &nread,
- tmp_ctx, &src);
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(tmp_ctx);
- return;
- }
- blob.length = nread;
-
- DEBUG(10,("Received krb5 UDP packet of length %lu from %s:%u\n",
- (long)blob.length, src->addr, (uint16_t)src->port));
-
- my_addr = socket_get_my_addr(kdc_socket->sock, tmp_ctx);
- if (!my_addr) {
- talloc_free(tmp_ctx);
- return;
- }
-
- ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, src->sockaddr,
- src->sockaddrlen, &tsrcaddr);
- if (ret < 0) {
- talloc_free(tmp_ctx);
- return;
- }
-
- ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, my_addr->sockaddr,
- my_addr->sockaddrlen, &tmyaddr);
- if (ret < 0) {
- talloc_free(tmp_ctx);
- return;
- }
-
- /* Call krb5 */
- ret = kdc_socket->process(kdc_socket->kdc,
- tmp_ctx,
- &blob,
- &reply,
- tsrcaddr,
- tmyaddr,
- 1 /* Datagram */);
- if (!ret) {
- talloc_free(tmp_ctx);
- return;
- }
-
- /* queue a pending reply */
- rep = talloc(kdc_socket, struct kdc_reply);
- if (rep == NULL) {
- talloc_free(tmp_ctx);
- return;
- }
- rep->dest = talloc_steal(rep, src);
- rep->packet = reply;
- talloc_steal(rep, reply.data);
-
- if (rep->packet.data == NULL) {
- talloc_free(rep);
- talloc_free(tmp_ctx);
- return;
- }
-
- DLIST_ADD_END(kdc_socket->send_queue, rep, struct kdc_reply *);
- EVENT_FD_WRITEABLE(kdc_socket->fde);
- talloc_free(tmp_ctx);
-}
-
-/*
- handle fd events on a KDC socket
-*/
-static void kdc_socket_handler(struct tevent_context *ev, struct tevent_fd *fde,
- uint16_t flags, void *private_data)
-{
- struct kdc_socket *kdc_socket = talloc_get_type(private_data, struct kdc_socket);
- if (flags & EVENT_FD_WRITE) {
- kdc_send_handler(kdc_socket);
- }
- if (flags & EVENT_FD_READ) {
- kdc_recv_handler(kdc_socket);
- }
-}
-
static void kdc_tcp_terminate_connection(struct kdc_tcp_connection *kdcconn, const char *reason)
{
stream_terminate_connection(kdcconn->conn, reason);
@@ -244,49 +92,18 @@ static NTSTATUS kdc_tcp_recv(void *private_data, DATA_BLOB blob)
TALLOC_CTX *tmp_ctx = talloc_new(kdcconn);
int ret;
DATA_BLOB input, reply;
- struct socket_address *src_addr;
- struct socket_address *my_addr;
- struct tsocket_address *tsrcaddr;
- struct tsocket_address *tmyaddr;
-
talloc_steal(tmp_ctx, blob.data);
- src_addr = socket_get_peer_addr(kdcconn->conn->socket, tmp_ctx);
- if (!src_addr) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- my_addr = socket_get_my_addr(kdcconn->conn->socket, tmp_ctx);
- if (!my_addr) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, src_addr->sockaddr,
- src_addr->sockaddrlen, &tsrcaddr);
- if (ret < 0) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, my_addr->sockaddr,
- my_addr->sockaddrlen, &tmyaddr);
- if (ret < 0) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
/* Call krb5 */
- input = data_blob_const(blob.data + 4, blob.length - 4);
-
- ret = kdcconn->process(kdcconn->kdc,
- tmp_ctx,
- &input,
- &reply,
- tsrcaddr,
- tmyaddr,
- 0 /* Not datagram */);
+ input = data_blob_const(blob.data + 4, blob.length - 4);
+
+ ret = kdcconn->kdc_socket->process(kdcconn->kdc_socket->kdc,
+ tmp_ctx,
+ &input,
+ &reply,
+ kdcconn->conn->remote_address,
+ kdcconn->conn->local_address,
+ 0 /* Not datagram */);
if (!ret) {
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_ERROR;
@@ -300,7 +117,7 @@ static NTSTATUS kdc_tcp_recv(void *private_data, DATA_BLOB blob)
}
RSIVAL(blob.data, 0, reply.length);
- memcpy(blob.data + 4, reply.data, reply.length);
+ memcpy(blob.data + 4, reply.data, reply.length);
status = packet_send(kdcconn->packet, blob);
if (!NT_STATUS_IS_OK(status)) {
@@ -349,8 +166,8 @@ static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags)
*/
static bool kdc_process(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *input,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *input,
DATA_BLOB *reply,
struct tsocket_address *peer_addr,
struct tsocket_address *my_addr,
@@ -377,7 +194,7 @@ static bool kdc_process(struct kdc_server *kdc,
DEBUG(10,("Received KDC packet of length %lu from %s\n",
(long)input->length - 4, pa));
- ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
+ ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
kdc->config,
input->data, input->length,
&k5_reply,
@@ -392,7 +209,7 @@ static bool kdc_process(struct kdc_server *kdc,
*reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
krb5_data_free(&k5_reply);
} else {
- *reply = data_blob(NULL, 0);
+ *reply = data_blob(NULL, 0);
}
return true;
}
@@ -410,9 +227,8 @@ static void kdc_tcp_accept(struct stream_connection *conn)
stream_terminate_connection(conn, "kdc_tcp_accept: out of memory");
return;
}
- kdcconn->conn = conn;
- kdcconn->kdc = kdc_socket->kdc;
- kdcconn->process = kdc_socket->process;
+ kdcconn->conn = conn;
+ kdcconn->kdc_socket = kdc_socket;
conn->private_data = kdcconn;
kdcconn->packet = packet_init(kdcconn);
@@ -437,6 +253,105 @@ static const struct stream_server_ops kdc_tcp_stream_ops = {
.send_handler = kdc_tcp_send
};
+/* hold information about one kdc/kpasswd udp socket */
+struct kdc_udp_socket {
+ struct kdc_socket *kdc_socket;
+ struct tdgram_context *dgram;
+ struct tevent_queue *send_queue;
+};
+
+struct kdc_udp_call {
+ struct tsocket_address *src;
+ DATA_BLOB in;
+ DATA_BLOB out;
+};
+
+static void kdc_udp_call_sendto_done(struct tevent_req *subreq);
+
+static void kdc_udp_call_loop(struct tevent_req *subreq)
+{
+ struct kdc_udp_socket *sock = tevent_req_callback_data(subreq,
+ struct kdc_udp_socket);
+ struct kdc_udp_call *call;
+ uint8_t *buf;
+ ssize_t len;
+ int sys_errno;
+ int ret;
+
+ call = talloc(sock, struct kdc_udp_call);
+ if (call == NULL) {
+ talloc_free(call);
+ goto done;
+ }
+
+ len = tdgram_recvfrom_recv(subreq, &sys_errno,
+ call, &buf, &call->src);
+ TALLOC_FREE(subreq);
+ if (len == -1) {
+ talloc_free(call);
+ goto done;
+ }
+
+ call->in.data = buf;
+ call->in.length = len;
+
+ DEBUG(10,("Received krb5 UDP packet of length %lu from %s\n",
+ (long)call->in.length,
+ tsocket_address_string(call->src, call)));
+
+ /* Call krb5 */
+ ret = sock->kdc_socket->process(sock->kdc_socket->kdc,
+ call,
+ &call->in,
+ &call->out,
+ call->src,
+ sock->kdc_socket->local_address,
+ 1 /* Datagram */);
+ if (!ret) {
+ talloc_free(call);
+ goto done;
+ }
+
+ subreq = tdgram_sendto_queue_send(call,
+ sock->kdc_socket->kdc->task->event_ctx,
+ sock->dgram,
+ sock->send_queue,
+ call->out.data,
+ call->out.length,
+ call->src);
+ if (subreq == NULL) {
+ talloc_free(call);
+ goto done;
+ }
+ tevent_req_set_callback(subreq, kdc_udp_call_sendto_done, call);
+
+done:
+ subreq = tdgram_recvfrom_send(sock,
+ sock->kdc_socket->kdc->task->event_ctx,
+ sock->dgram);
+ if (subreq == NULL) {
+ task_server_terminate(sock->kdc_socket->kdc->task,
+ "no memory for tdgram_recvfrom_send",
+ true);
+ return;
+ }
+ tevent_req_set_callback(subreq, kdc_udp_call_loop, sock);
+}
+
+static void kdc_udp_call_sendto_done(struct tevent_req *subreq)
+{
+ struct kdc_udp_call *call = tevent_req_callback_data(subreq,
+ struct kdc_udp_call);
+ ssize_t ret;
+ int sys_errno;
+
+ ret = tdgram_sendto_queue_recv(subreq, &sys_errno);
+
+ /* We don't care about errors */
+
+ talloc_free(call);
+}
+
/*
start listening on the given address
*/
@@ -447,47 +362,32 @@ static NTSTATUS kdc_add_socket(struct kdc_server *kdc,
uint16_t port,
kdc_process_fn_t process)
{
- struct kdc_socket *kdc_socket;
- struct socket_address *socket_address;
+ struct kdc_socket *kdc_socket;
+ struct kdc_udp_socket *kdc_udp_socket;
+ struct tevent_req *udpsubreq;
NTSTATUS status;
+ int ret;
kdc_socket = talloc(kdc, struct kdc_socket);
NT_STATUS_HAVE_NO_MEMORY(kdc_socket);
- status = socket_create("ip", SOCKET_TYPE_DGRAM, &kdc_socket->sock, 0);
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(kdc_socket);
- return status;
- }
-
kdc_socket->kdc = kdc;
- kdc_socket->send_queue = NULL;
kdc_socket->process = process;
- talloc_steal(kdc_socket, kdc_socket->sock);
-
- kdc_socket->fde = event_add_fd(kdc->task->event_ctx, kdc,
- socket_get_fd(kdc_socket->sock), EVENT_FD_READ,
- kdc_socket_handler, kdc_socket);
-
- socket_address = socket_address_from_strings(kdc_socket, kdc_socket->sock->backend_name,
- address, port);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(socket_address, kdc_socket);
-
- status = socket_listen(kdc_socket->sock, socket_address, 0, 0);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("Failed to bind to %s:%d UDP for %s - %s\n",
- address, port, name, nt_errstr(status)));
- talloc_free(kdc_socket);
+ ret = tsocket_address_inet_from_strings(kdc_socket, "ip",
+ address, port,
+ &kdc_socket->local_address);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
return status;
}
- status = stream_setup_socket(kdc->task->event_ctx,
+ status = stream_setup_socket(kdc->task->event_ctx,
kdc->task->lp_ctx,
- model_ops,
- &kdc_tcp_stream_ops,
- "ip", address, &port,
- lp_socket_options(kdc->task->lp_ctx),
+ model_ops,
+ &kdc_tcp_stream_ops,
+ "ip", address, &port,
+ lp_socket_options(kdc->task->lp_ctx),
kdc_socket);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to bind to %s:%u TCP - %s\n",
@@ -496,6 +396,32 @@ static NTSTATUS kdc_add_socket(struct kdc_server *kdc,
return status;
}
+ kdc_udp_socket = talloc(kdc_socket, struct kdc_udp_socket);
+ NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket);
+
+ kdc_udp_socket->kdc_socket = kdc_socket;
+
+ ret = tdgram_inet_udp_socket(kdc_socket->local_address,
+ NULL,
+ kdc_udp_socket,
+ &kdc_udp_socket->dgram);
+ if (ret != 0) {
+ status = map_nt_error_from_unix(errno);
+ DEBUG(0,("Failed to bind to %s:%u UDP - %s\n",
+ address, port, nt_errstr(status)));
+ return status;
+ }
+
+ kdc_udp_socket->send_queue = tevent_queue_create(kdc_udp_socket,
+ "kdc_udp_send_queue");
+ NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket->send_queue);
+
+ udpsubreq = tdgram_recvfrom_send(kdc_udp_socket,
+ kdc->task->event_ctx,
+ kdc_udp_socket->dgram);
+ NT_STATUS_HAVE_NO_MEMORY(udpsubreq);
+ tevent_req_set_callback(udpsubreq, kdc_udp_call_loop, kdc_udp_socket);
+
return NT_STATUS_OK;
}
@@ -522,7 +448,7 @@ static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_c
}
num_interfaces = iface_count(ifaces);
-
+
for (i=0; i<num_interfaces; i++) {
const char *address = talloc_strdup(tmp_ctx, iface_n_ip(ifaces, i));
uint16_t kdc_port = lp_krb5_port(lp_ctx);
@@ -549,7 +475,7 @@ static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_c
}
-static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
+static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
struct kdc_check_generic_kerberos *r)
{
struct PAC_Validate pac_validate;
@@ -567,14 +493,14 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
/* There is no reply to this request */
r->out.generic_reply = data_blob(NULL, 0);
- ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg,
- lp_iconv_convenience(kdc->task->lp_ctx),
+ ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg,
+ lp_iconv_convenience(kdc->task->lp_ctx),
&pac_validate,
(ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return NT_STATUS_INVALID_PARAMETER;
}
-
+
if (pac_validate.MessageType != 3) {
/* We don't implement any other message types - such as certificate validation - yet */
return NT_STATUS_INVALID_PARAMETER;
@@ -585,10 +511,10 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
|| pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) {
return NT_STATUS_INVALID_PARAMETER;
}
-
- srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data,
+
+ srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data,
pac_validate.ChecksumLength);
-
+
if (pac_validate.SignatureType == CKSUMTYPE_HMAC_MD5) {
etype = ETYPE_ARCFOUR_HMAC_MD5;
} else {
@@ -599,16 +525,16 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
}
}
- ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal,
+ ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal,
lp_realm(kdc->task->lp_ctx),
- "krbtgt", lp_realm(kdc->task->lp_ctx),
+ "krbtgt", lp_realm(kdc->task->lp_ctx),
NULL);
if (ret != 0) {
return NT_STATUS_NO_MEMORY;
}
- ret = kdc->config->db[0]->hdb_fetch(kdc->smb_krb5_context->krb5_context,
+ ret = kdc->config->db[0]->hdb_fetch(kdc->smb_krb5_context->krb5_context,
kdc->config->db[0],
principal,
HDB_F_GET_KRBTGT | HDB_F_DECRYPT,
@@ -617,10 +543,10 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
if (ret != 0) {
hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
-
+
return NT_STATUS_LOGON_FAILURE;
}
-
+
ret = hdb_enctype2key(kdc->smb_krb5_context->krb5_context, &ent.entry, etype, &key);
if (ret != 0) {
@@ -630,11 +556,11 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
}
keyblock = key->key;
-
+
kdc_sig.type = pac_validate.SignatureType;
kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength],
pac_validate.SignatureLength);
- ret = check_pac_checksum(msg, srv_sig, &kdc_sig,
+ ret = check_pac_checksum(msg, srv_sig, &kdc_sig,
kdc->smb_krb5_context->krb5_context, &keyblock);
hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
@@ -643,7 +569,7 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
if (ret != 0) {
return NT_STATUS_LOGON_FAILURE;
}
-
+
return NT_STATUS_OK;
}
@@ -691,21 +617,21 @@ static void kdc_task_init(struct task_server *task)
ret = smb_krb5_init_context(kdc, task->event_ctx, task->lp_ctx, &kdc->smb_krb5_context);
if (ret) {
- DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
+ DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
error_message(ret)));
task_server_terminate(task, "kdc: krb5_init_context failed", true);
- return;
+ return;
}
krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
- ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
+ ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
&kdc->config);
if(ret) {
task_server_terminate(task, "kdc: failed to get KDC configuration", true);
return;
}
-
+
kdc->config->logf = kdc->smb_krb5_context->logf;
kdc->config->db = talloc(kdc, struct HDB *);
if (!kdc->config->db) {
@@ -713,13 +639,13 @@ static void kdc_task_init(struct task_server *task)
return;
}
kdc->config->num_db = 1;
-
- status = hdb_samba4_create_kdc(kdc, task->event_ctx, task->lp_ctx,
- kdc->smb_krb5_context->krb5_context,
+
+ status = hdb_samba4_create_kdc(kdc, task->event_ctx, task->lp_ctx,
+ kdc->smb_krb5_context->krb5_context,
&kdc->config->db[0]);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
- return;
+ return;
}
/* Register hdb-samba4 hooks for use as a keytab */
@@ -727,13 +653,13 @@ static void kdc_task_init(struct task_server *task)
kdc->hdb_samba4_context = talloc(kdc, struct hdb_samba4_context);
if (!kdc->hdb_samba4_context) {
task_server_terminate(task, "kdc: out of memory", true);
- return;
+ return;
}
kdc->hdb_samba4_context->ev_ctx = task->event_ctx;
kdc->hdb_samba4_context->lp_ctx = task->lp_ctx;
- ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
+ ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "hdb",
&hdb_samba4);
if(ret) {
@@ -748,7 +674,7 @@ static void kdc_task_init(struct task_server *task)
}
/* Registar WinDC hooks */
- ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
+ ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "windc",
&windc_plugin_table);
if(ret) {
@@ -765,7 +691,7 @@ static void kdc_task_init(struct task_server *task)
return;
}
- status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
+ status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
kdc_check_generic_kerberos, kdc);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "nbtd failed to setup monitoring", true);
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 4a715fd498..b9cf621537 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -1,21 +1,21 @@
-/*
+/*
Unix SMB/CIFS implementation.
KDC structures
Copyright (C) Andrew Tridgell 2005
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -33,8 +33,8 @@ struct tsocket_address;
bool kpasswdd_process(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *input,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *input,
DATA_BLOB *reply,
struct tsocket_address *peer_addr,
struct tsocket_address *my_addr,
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 9b3336a7a1..8406887dad 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
kpasswd Server implementation
@@ -10,12 +10,12 @@
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -45,15 +45,15 @@
#endif
/* Return true if there is a valid error packet formed in the error_blob */
-static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
- uint16_t result_code,
- const char *error_string,
- DATA_BLOB *error_blob)
+static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
+ TALLOC_CTX *mem_ctx,
+ uint16_t result_code,
+ const char *error_string,
+ DATA_BLOB *error_blob)
{
char *error_string_utf8;
size_t len;
-
+
DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
if (!push_utf8_talloc(mem_ctx, &error_string_utf8, error_string, &len)) {
@@ -70,17 +70,17 @@ static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
}
/* Return true if there is a valid error packet formed in the error_blob */
-static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
- uint16_t result_code,
- const char *error_string,
- DATA_BLOB *error_blob)
+static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
+ TALLOC_CTX *mem_ctx,
+ uint16_t result_code,
+ const char *error_string,
+ DATA_BLOB *error_blob)
{
bool ret;
int kret;
DATA_BLOB error_bytes;
krb5_data k5_error_bytes, k5_error_blob;
- ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
+ ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
&error_bytes);
if (!ret) {
return false;
@@ -88,7 +88,7 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
k5_error_bytes.data = error_bytes.data;
k5_error_bytes.length = error_bytes.length;
kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
- result_code, NULL, &k5_error_bytes,
+ result_code, NULL, &k5_error_bytes,
NULL, NULL, NULL, NULL, &k5_error_blob);
if (kret) {
return false;
@@ -101,21 +101,21 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
return true;
}
-static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
- NTSTATUS status,
+static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
+ TALLOC_CTX *mem_ctx,
+ NTSTATUS status,
enum samPwdChangeReason reject_reason,
struct samr_DomInfo1 *dominfo,
- DATA_BLOB *error_blob)
+ DATA_BLOB *error_blob)
{
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
"No such user when changing password",
error_blob);
}
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
"Not permitted to change password",
error_blob);
@@ -138,31 +138,31 @@ static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
dominfo->min_password_length, dominfo->password_history_length);
break;
}
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_SOFTERROR,
reject_string,
error_blob);
}
if (!NT_STATUS_IS_OK(status)) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)),
error_blob);
-
+
}
return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SUCCESS,
"Password changed",
error_blob);
}
-/*
+/*
A user password change
-
+
Return true if there is a valid error packet (or sucess) formed in
the error_blob
*/
static bool kpasswdd_change_password(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
const DATA_BLOB *password,
DATA_BLOB *reply)
@@ -174,45 +174,45 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, system_session(kdc->task->lp_ctx));
if (!samdb) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"Failed to open samdb",
reply);
}
-
- DEBUG(3, ("Changing password of %s\\%s (%s)\n",
+
+ DEBUG(3, ("Changing password of %s\\%s (%s)\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
/* User password change */
- status = samdb_set_password_sid(samdb, mem_ctx,
+ status = samdb_set_password_sid(samdb, mem_ctx,
session_info->security_token->user_sid,
- password, NULL, NULL,
+ password, NULL, NULL,
true, /* this is a user password change */
&reject_reason,
&dominfo);
- return kpasswd_make_pwchange_reply(kdc, mem_ctx,
- status,
+ return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+ status,
reject_reason,
- dominfo,
+ dominfo,
reply);
}
static bool kpasswd_process_request(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
uint16_t version,
- DATA_BLOB *input,
+ DATA_BLOB *input,
DATA_BLOB *reply)
{
struct auth_session_info *session_info;
size_t pw_len;
- if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
+ if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
&session_info))) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"gensec_session_info failed!",
reply);
@@ -222,16 +222,16 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
case KRB5_KPASSWD_VERS_CHANGEPW:
{
DATA_BLOB password;
- if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
- CH_UTF8, CH_UTF16,
- (const char *)input->data,
+ if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
+ CH_UTF8, CH_UTF16,
+ (const char *)input->data,
input->length,
(void **)&password.data, &pw_len, false)) {
return false;
}
password.length = pw_len;
-
- return kpasswdd_change_password(kdc, mem_ctx, session_info,
+
+ return kpasswdd_change_password(kdc, mem_ctx, session_info,
&password, reply);
break;
}
@@ -262,26 +262,26 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
ret = decode_ChangePasswdDataMS(input->data, input->length,
&chpw, &len);
if (ret) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"failed to decode password change structure",
reply);
}
-
- if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
- CH_UTF8, CH_UTF16,
- (const char *)chpw.newpasswd.data,
+
+ if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
+ CH_UTF8, CH_UTF16,
+ (const char *)chpw.newpasswd.data,
chpw.newpasswd.length,
(void **)&password.data, &pw_len, false)) {
free_ChangePasswdDataMS(&chpw);
return false;
}
-
+
password.length = pw_len;
-
- if ((chpw.targname && !chpw.targrealm)
+
+ if ((chpw.targname && !chpw.targrealm)
|| (!chpw.targname && chpw.targrealm)) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"Realm and principal must be both present, or neither present",
reply);
@@ -289,14 +289,14 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
if (chpw.targname && chpw.targrealm) {
#ifdef SAMBA4_INTERNAL_HEIMDAL
if (_krb5_principalname2krb5_principal(kdc->smb_krb5_context->krb5_context,
- &principal, *chpw.targname,
+ &principal, *chpw.targname,
*chpw.targrealm) != 0) {
free_ChangePasswdDataMS(&chpw);
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"failed to extract principal to set",
reply);
-
+
}
#else /* SAMBA4_INTERNAL_HEIMDAL */
return kpasswdd_make_error_reply(kdc, mem_ctx,
@@ -306,54 +306,54 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
#endif /* SAMBA4_INTERNAL_HEIMDAL */
} else {
free_ChangePasswdDataMS(&chpw);
- return kpasswdd_change_password(kdc, mem_ctx, session_info,
+ return kpasswdd_change_password(kdc, mem_ctx, session_info,
&password, reply);
}
free_ChangePasswdDataMS(&chpw);
if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
krb5_free_principal(context, principal);
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"krb5_unparse_name failed!",
reply);
}
-
+
krb5_free_principal(context, principal);
-
+
samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, session_info);
if (!samdb) {
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"Unable to open database!",
reply);
}
- DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
+ DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
- dom_sid_string(mem_ctx, session_info->security_token->user_sid),
+ dom_sid_string(mem_ctx, session_info->security_token->user_sid),
set_password_on_princ));
ret = ldb_transaction_start(samdb);
if (ret) {
status = NT_STATUS_TRANSACTION_ABORTED;
- return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+ return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
SAM_PWD_CHANGE_NO_ERROR,
- NULL,
+ NULL,
reply);
}
- status = crack_user_principal_name(samdb, mem_ctx,
- set_password_on_princ,
+ status = crack_user_principal_name(samdb, mem_ctx,
+ set_password_on_princ,
&set_password_on_dn, NULL);
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
ldb_transaction_cancel(samdb);
- return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+ return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
SAM_PWD_CHANGE_NO_ERROR,
- NULL,
+ NULL,
reply);
}
@@ -372,7 +372,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
/* Admin password set */
status = samdb_set_password(samdb, mem_ctx,
set_password_on_dn, NULL,
- msg, &password, NULL, NULL,
+ msg, &password, NULL, NULL,
false, /* this is not a user password change */
&reject_reason, &dominfo);
}
@@ -398,17 +398,17 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
} else {
ldb_transaction_cancel(samdb);
}
- return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+ return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
- reject_reason,
- dominfo,
+ reject_reason,
+ dominfo,
reply);
}
default:
- return kpasswdd_make_error_reply(kdc, mem_ctx,
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_BAD_VERSION,
- talloc_asprintf(mem_ctx,
- "Protocol version %u not supported",
+ talloc_asprintf(mem_ctx,
+ "Protocol version %u not supported",
version),
reply);
}
@@ -416,8 +416,8 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
}
bool kpasswdd_process(struct kdc_server *kdc,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *input,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *input,
DATA_BLOB *reply,
struct tsocket_address *peer_addr,
struct tsocket_address *my_addr,
@@ -466,11 +466,11 @@ bool kpasswdd_process(struct kdc_server *kdc,
talloc_free(tmp_ctx);
return false;
}
-
+
krb_priv_len = len - ap_req_len;
ap_req = data_blob_const(&input->data[header_len], ap_req_len);
krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
-
+
server_credentials = cli_credentials_init(tmp_ctx);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
@@ -478,7 +478,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
}
/* We want the credentials subsystem to use the krb5 context
- * we already have, rather than a new context */
+ * we already have, rather than a new context */
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
@@ -487,10 +487,10 @@ bool kpasswdd_process(struct kdc_server *kdc,
cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
if (ret != 0) {
- ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
+ ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
- talloc_asprintf(mem_ctx,
- "Failed to obtain server credentials for kadmin/changepw: %s\n",
+ talloc_asprintf(mem_ctx,
+ "Failed to obtain server credentials for kadmin/changepw: %s\n",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
@@ -500,16 +500,16 @@ bool kpasswdd_process(struct kdc_server *kdc,
talloc_free(tmp_ctx);
return ret;
}
-
+
/* We don't strictly need to call this wrapper, and could call
* gensec_server_start directly, as we have no need for NTLM
* and we have a PAC, but this ensures that the wrapper can be
* safely extended for other helpful things in future */
- nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx,
+ nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx,
kdc->task->msg_ctx,
kdc->task->lp_ctx,
server_credentials,
- "kpasswd",
+ "kpasswd",
&gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -549,11 +549,11 @@ bool kpasswdd_process(struct kdc_server *kdc,
/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-
- ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
+
+ ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
- talloc_asprintf(mem_ctx,
- "gensec_update failed: %s",
+ talloc_asprintf(mem_ctx,
+ "gensec_update failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
@@ -567,10 +567,10 @@ bool kpasswdd_process(struct kdc_server *kdc,
/* Extract the data from the KRB-PRIV half of the message */
nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
if (!NT_STATUS_IS_OK(nt_status)) {
- ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
+ ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
- talloc_asprintf(mem_ctx,
- "gensec_unwrap failed: %s",
+ talloc_asprintf(mem_ctx,
+ "gensec_unwrap failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
@@ -582,10 +582,10 @@ bool kpasswdd_process(struct kdc_server *kdc,
}
/* Figure out something to do with it (probably changing a password...) */
- ret = kpasswd_process_request(kdc, tmp_ctx,
- gensec_security,
- version,
- &kpasswd_req, &kpasswd_rep);
+ ret = kpasswd_process_request(kdc, tmp_ctx,
+ gensec_security,
+ version,
+ &kpasswd_req, &kpasswd_rep);
if (!ret) {
/* Argh! */
return false;
@@ -593,13 +593,13 @@ bool kpasswdd_process(struct kdc_server *kdc,
/* And wrap up the reply: This ensures that the error message
* or success can be verified by the client */
- nt_status = gensec_wrap(gensec_security, tmp_ctx,
+ nt_status = gensec_wrap(gensec_security, tmp_ctx,
&kpasswd_rep, &krb_priv_rep);
if (!NT_STATUS_IS_OK(nt_status)) {
- ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
+ ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
- talloc_asprintf(mem_ctx,
- "gensec_wrap failed: %s",
+ talloc_asprintf(mem_ctx,
+ "gensec_wrap failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
@@ -609,7 +609,7 @@ bool kpasswdd_process(struct kdc_server *kdc,
talloc_free(tmp_ctx);
return ret;
}
-
+
reply:
*reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
if (!reply->data) {
@@ -619,11 +619,11 @@ reply:
RSSVAL(reply->data, 0, reply->length);
RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */
RSSVAL(reply->data, 4, ap_rep.length);
- memcpy(reply->data + header_len,
- ap_rep.data,
+ memcpy(reply->data + header_len,
+ ap_rep.data,
ap_rep.length);
- memcpy(reply->data + header_len + ap_rep.length,
- krb_priv_rep.data,
+ memcpy(reply->data + header_len + ap_rep.length,
+ krb_priv_rep.data,
krb_priv_rep.length);
talloc_free(tmp_ctx);
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 3d542d9a94..d921899c61 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1,21 +1,21 @@
-/*
+/*
Unix SMB/CIFS implementation.
PAC Glue between Samba and the KDC
-
+
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -34,22 +34,22 @@
struct krb5_dh_moduli;
struct _krb5_krb_auth_data;
-static krb5_error_code samba_kdc_plugin_init(krb5_context context, void **ptr)
+static krb5_error_code samba_kdc_plugin_init(krb5_context context, void **ptr)
{
*ptr = NULL;
return 0;
}
-static void samba_kdc_plugin_fini(void *ptr)
+static void samba_kdc_plugin_fini(void *ptr)
{
return;
}
static krb5_error_code make_pac(krb5_context context,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct smb_iconv_convenience *iconv_convenience,
struct auth_serversupplied_info *server_info,
- krb5_pac *pac)
+ krb5_pac *pac)
{
union PAC_INFO info;
struct netr_SamInfo3 *info3;
@@ -105,7 +105,7 @@ static krb5_error_code make_pac(krb5_context context,
/* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */
static krb5_error_code samba_kdc_get_pac(void *priv,
- krb5_context context,
+ krb5_context context,
struct hdb_entry_ex *client,
krb5_pac *pac)
{
@@ -151,7 +151,7 @@ static krb5_error_code samba_kdc_get_pac(void *priv,
static krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context,
const krb5_principal client_principal,
- struct hdb_entry_ex *client,
+ struct hdb_entry_ex *client,
struct hdb_entry_ex *server, krb5_pac *pac)
{
krb5_error_code ret;
@@ -163,7 +163,7 @@ static krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context,
struct auth_serversupplied_info *server_info_out;
TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_get_pac context");
-
+
if (!mem_ctx) {
return ENOMEM;
}
@@ -230,8 +230,8 @@ static void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data,
* the account_ok routine in auth/auth_sam.c for consistancy */
-static krb5_error_code samba_kdc_check_client_access(void *priv,
- krb5_context context,
+static krb5_error_code samba_kdc_check_client_access(void *priv,
+ krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *client_ex, const char *client_name,
hdb_entry_ex *server_ex, const char *server_name,
@@ -253,7 +253,7 @@ static krb5_error_code samba_kdc_check_client_access(void *priv,
if (!tmp_ctx) {
return ENOMEM;
}
-
+
if (addresses) {
for (i=0; i < addresses->len; i++) {
if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) {
@@ -276,7 +276,7 @@ static krb5_error_code samba_kdc_check_client_access(void *priv,
password_change = (server_ex && server_ex->entry.flags.change_pw);
/* we allow all kinds of trusts here */
- nt_status = authsam_account_ok(tmp_ctx,
+ nt_status = authsam_account_ok(tmp_ctx,
p->samdb,
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
p->realm_dn,
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 1c14f7fdb6..f838ec353a 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
KDC Server startup
@@ -9,12 +9,12 @@
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/