summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/hdb-ldb.c3
-rw-r--r--source4/kdc/kdc.c19
-rw-r--r--source4/kdc/kpasswdd.c72
3 files changed, 49 insertions, 45 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index ddee8d19d1..3ef5f9510a 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -49,6 +49,7 @@
#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "libcli/auth/libcli_auth.h"
+#include "param/param.h"
enum hdb_ldb_ent_type
{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER,
@@ -480,7 +481,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
entry_ex->entry.flags.ok_as_delegate = 1;
}
- if (lp_parm_bool(-1, "kdc", "require spn for service", True)) {
+ if (lp_parm_bool(global_loadparm, NULL, "kdc", "require spn for service", true)) {
if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
entry_ex->entry.flags.server = 0;
}
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index c58f738243..d1582215f8 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -38,6 +38,7 @@
#include "heimdal/kdc/windc_plugin.h"
#include "heimdal/lib/krb5/krb5_locl.h"
#include "heimdal/kdc/kdc_locl.h"
+#include "param/param.h"
/* Disgusting hack to get a mem_ctx into the hdb plugin, when used as a keytab */
@@ -50,7 +51,7 @@ struct kdc_reply {
DATA_BLOB packet;
};
-typedef BOOL (*kdc_process_fn_t)(struct kdc_server *kdc,
+typedef bool (*kdc_process_fn_t)(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
@@ -310,7 +311,7 @@ static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags)
calling conventions
*/
-static BOOL kdc_process(struct kdc_server *kdc,
+static bool kdc_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
@@ -336,7 +337,7 @@ static BOOL kdc_process(struct kdc_server *kdc,
datagram_reply);
if (ret == -1) {
*reply = data_blob(NULL, 0);
- return False;
+ return false;
}
if (k5_reply.length) {
*reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
@@ -344,7 +345,7 @@ static BOOL kdc_process(struct kdc_server *kdc,
} else {
*reply = data_blob(NULL, 0);
}
- return True;
+ return true;
}
/*
@@ -407,15 +408,14 @@ static const struct stream_server_ops kpasswdd_tcp_stream_ops = {
/*
start listening on the given address
*/
-static NTSTATUS kdc_add_socket(struct kdc_server *kdc, const char *address)
+static NTSTATUS kdc_add_socket(struct kdc_server *kdc, const char *address,
+ uint16_t kdc_port, uint16_t kpasswd_port)
{
const struct model_ops *model_ops;
struct kdc_socket *kdc_socket;
struct kdc_socket *kpasswd_socket;
struct socket_address *kdc_address, *kpasswd_address;
NTSTATUS status;
- uint16_t kdc_port = lp_krb5_port();
- uint16_t kpasswd_port = lp_kpasswd_port();
kdc_socket = talloc(kdc, struct kdc_socket);
NT_STATUS_HAVE_NO_MEMORY(kdc_socket);
@@ -526,7 +526,8 @@ static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc)
for (i=0; i<num_interfaces; i++) {
const char *address = talloc_strdup(tmp_ctx, iface_n_ip(i));
- status = kdc_add_socket(kdc, address);
+ status = kdc_add_socket(kdc, address, lp_krb5_port(global_loadparm),
+ lp_kpasswd_port(global_loadparm));
NT_STATUS_NOT_OK_RETURN(status);
}
@@ -554,7 +555,7 @@ static void kdc_task_init(struct task_server *task)
NTSTATUS status;
krb5_error_code ret;
- switch (lp_server_role()) {
+ switch (lp_server_role(global_loadparm)) {
case ROLE_STANDALONE:
task_server_terminate(task, "kdc: no KDC required in standalone configuration");
return;
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index dc717daa65..5bda85c96e 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -38,6 +38,7 @@
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/samr/proto.h"
#include "libcli/security/security.h"
+#include "param/param.h"
/* hold information about one kdc socket */
struct kpasswd_socket {
@@ -50,7 +51,7 @@ struct kpasswd_socket {
};
/* Return true if there is a valid error packet formed in the error_blob */
-static BOOL kpasswdd_make_error_reply(struct kdc_server *kdc,
+static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
uint16_t result_code,
const char *error_string,
@@ -63,33 +64,33 @@ static BOOL kpasswdd_make_error_reply(struct kdc_server *kdc,
len = push_utf8_talloc(mem_ctx, &error_string_utf8, error_string);
if (len == -1) {
- return False;
+ return false;
}
*error_blob = data_blob_talloc(mem_ctx, NULL, 2 + len + 1);
if (!error_blob->data) {
- return False;
+ return false;
}
RSSVAL(error_blob->data, 0, result_code);
memcpy(error_blob->data + 2, error_string_utf8, len + 1);
- return True;
+ return true;
}
/* Return true if there is a valid error packet formed in the error_blob */
-static BOOL kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
+static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
uint16_t result_code,
const char *error_string,
DATA_BLOB *error_blob)
{
- BOOL ret;
+ bool ret;
int kret;
DATA_BLOB error_bytes;
krb5_data k5_error_bytes, k5_error_blob;
ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
&error_bytes);
if (!ret) {
- return False;
+ return false;
}
k5_error_bytes.data = error_bytes.data;
k5_error_bytes.length = error_bytes.length;
@@ -97,17 +98,17 @@ static BOOL kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
result_code, NULL, &k5_error_bytes,
NULL, NULL, NULL, NULL, &k5_error_blob);
if (kret) {
- return False;
+ return false;
}
*error_blob = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
krb5_data_free(&k5_error_blob);
if (!error_blob->data) {
- return False;
+ return false;
}
- return True;
+ return true;
}
-static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
+static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
NTSTATUS status,
enum samr_RejectReason reject_reason,
@@ -168,7 +169,7 @@ static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
Return true if there is a valid error packet (or sucess) formed in
the error_blob
*/
-static BOOL kpasswdd_change_password(struct kdc_server *kdc,
+static bool kpasswdd_change_password(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
const char *password,
@@ -196,7 +197,7 @@ static BOOL kpasswdd_change_password(struct kdc_server *kdc,
status = samdb_set_password_sid(samdb, mem_ctx,
session_info->security_token->user_sid,
password, NULL, NULL,
- True, /* this is a user password change */
+ true, /* this is a user password change */
&reject_reason,
&dominfo);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
@@ -207,7 +208,7 @@ static BOOL kpasswdd_change_password(struct kdc_server *kdc,
}
-static BOOL kpasswd_process_request(struct kdc_server *kdc,
+static bool kpasswd_process_request(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
uint16_t version,
@@ -228,7 +229,7 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
{
char *password = talloc_strndup(mem_ctx, (const char *)input->data, input->length);
if (!password) {
- return False;
+ return false;
}
return kpasswdd_change_password(kdc, mem_ctx, session_info,
password, reply);
@@ -255,7 +256,7 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
msg = ldb_msg_new(mem_ctx);
if (!msg) {
- return False;
+ return false;
}
ret = decode_ChangePasswdDataMS(input->data, input->length,
@@ -267,11 +268,12 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
reply);
}
- password = talloc_strndup(mem_ctx, chpw.newpasswd.data,
+ password = talloc_strndup(mem_ctx,
+ (const char *)chpw.newpasswd.data,
chpw.newpasswd.length);
if (!password) {
free_ChangePasswdDataMS(&chpw);
- return False;
+ return false;
}
if ((chpw.targname && !chpw.targrealm)
|| (!chpw.targname && chpw.targrealm)) {
@@ -360,7 +362,7 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
status = samdb_set_password(samdb, mem_ctx,
set_password_on_dn, NULL,
msg, password, NULL, NULL,
- False, /* this is not a user password change */
+ false, /* this is not a user password change */
&reject_reason, &dominfo);
}
@@ -399,10 +401,10 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
version),
reply);
}
- return True;
+ return true;
}
-BOOL kpasswdd_process(struct kdc_server *kdc,
+bool kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
@@ -410,7 +412,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
struct socket_address *my_addr,
int datagram_reply)
{
- BOOL ret;
+ bool ret;
const uint16_t header_len = 6;
uint16_t len;
uint16_t ap_req_len;
@@ -426,20 +428,20 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
- return False;
+ return false;
}
/* Be parinoid. We need to ensure we don't just let the
* caller lead us into a buffer overflow */
if (input->length <= header_len) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
len = RSVAL(input->data, 0);
if (input->length != len) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
/* There are two different versions of this protocol so far,
@@ -449,7 +451,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
ap_req_len = RSVAL(input->data, 4);
if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
krb_priv_len = len - ap_req_len;
@@ -459,19 +461,19 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, kdc->task->msg_ctx, &gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
server_credentials = cli_credentials_init(tmp_ctx);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
- return False;
+ return false;
}
/* We want the credentials subsystem to use the krb5 context
* we already have, rather than a new context */
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
- cli_credentials_set_conf(server_credentials);
+ cli_credentials_set_conf(server_credentials, global_loadparm);
nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
@@ -491,7 +493,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
nt_status = gensec_set_credentials(gensec_security, server_credentials);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
/* The kerberos PRIV packets include these addresses. MIT
@@ -499,12 +501,12 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
nt_status = gensec_set_my_addr(gensec_security, my_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
/* We want the GENSEC wrap calls to generate PRIV tokens */
@@ -513,7 +515,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
- return False;
+ return false;
}
/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
@@ -558,7 +560,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
&kpasswd_req, &kpasswd_rep);
if (!ret) {
/* Argh! */
- return False;
+ return false;
}
/* And wrap up the reply: This ensures that the error message
@@ -583,7 +585,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
reply:
*reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
if (!reply->data) {
- return False;
+ return false;
}
RSSVAL(reply->data, 0, reply->length);
generated by cgit (git 2.34.1) at 2025-01-20 07:02:36 +0000