diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/credentials/credentials_gensec.c | 47 | ||||
-rw-r--r-- | source4/auth/gensec/gensec.c | 7 | ||||
-rw-r--r-- | source4/kdc/config.mk | 1 | ||||
-rw-r--r-- | source4/kdc/hdb-ldb.c | 43 | ||||
-rw-r--r-- | source4/kdc/kdc.c | 10 | ||||
-rw-r--r-- | source4/kdc/kdc.h | 10 | ||||
-rw-r--r-- | source4/kdc/pac-glue.c | 8 |
7 files changed, 100 insertions, 26 deletions
diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c index 077e4689ec..fcaa760ed4 100644 --- a/source4/auth/credentials/credentials_gensec.c +++ b/source4/auth/credentials/credentials_gensec.c @@ -24,8 +24,53 @@ const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) { - if (!creds->gensec_list) { + if (!creds || !creds->gensec_list) { return gensec_security_all(); } return creds->gensec_list; } + +static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds, + const struct gensec_security_ops *remove_mech) +{ + const struct gensec_security_ops **gensec_list; + const struct gensec_security_ops **new_gensec_list; + int i, j; + + gensec_list = cli_credentials_gensec_list(creds); + + for (i=0; gensec_list && gensec_list[i]; i++) { + /* noop */ + } + + new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1); + if (!new_gensec_list) { + return NT_STATUS_NO_MEMORY; + } + + j = 0; + for (i=0; gensec_list && gensec_list[i]; i++) { + if (gensec_list[i] != remove_mech) { + new_gensec_list[j] = gensec_list[i]; + j++; + } + } + new_gensec_list[j] = NULL; + + creds->gensec_list = new_gensec_list; + + return NT_STATUS_OK; +} + +NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds, + const char *oid) +{ + const struct gensec_security_ops *gensec_by_oid; + + gensec_by_oid = gensec_security_by_oid(NULL, oid); + if (!gensec_by_oid) { + return NT_STATUS_OK; + } + + return cli_credentials_gensec_remove_mech(creds, gensec_by_oid); +} diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 0d79cb892c..26f245787b 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -53,8 +53,8 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens return NULL; } -static const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security, - const char *oid_string) +const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security, + const char *oid_string) { int i, j; const struct gensec_security_ops **backends; @@ -805,6 +805,9 @@ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) { + if (!gensec_security) { + return NULL; + } return gensec_security->credentials; } diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk index 9e07ecab19..ef14f83893 100644 --- a/source4/kdc/config.mk +++ b/source4/kdc/config.mk @@ -3,6 +3,7 @@ ####################### # Start SUBSYSTEM KDC [SUBSYSTEM::KDC] +NOPROTO = YES INIT_OBJ_FILES = \ kdc.o \ pac-glue.o \ diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index e9c1855a10..9b1d673764 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -40,6 +40,7 @@ #include "lib/ldb/include/ldb_errors.h" #include "system/iconv.h" #include "librpc/gen_ndr/netlogon.h" +#include "auth/auth.h" enum hdb_ldb_ent_type { HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, @@ -588,7 +589,8 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con talloc_free(res); return HDB_ERR_NOENTRY; } - *pmsg = talloc_steal(mem_ctx, res->msgs); + talloc_steal(mem_ctx, res->msgs); + *pmsg = res->msgs; talloc_free(res); return 0; } @@ -680,7 +682,7 @@ static krb5_error_code LDB_fetch_ex(krb5_context context, HDB *db, unsigned flag const char *realm; const struct ldb_dn *realm_dn; - TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "LDB_fetch context"); + TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context"); if (!mem_ctx) { krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!"); @@ -1037,25 +1039,44 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db) return 0; } -krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, - krb5_context context, struct HDB **db, const char *arg) +NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, + krb5_context context, struct HDB **db, const char *arg) { + NTSTATUS nt_status; + struct auth_session_info *session_info; *db = talloc(mem_ctx, HDB); if (!*db) { krb5_set_error_string(context, "malloc: out of memory"); - return ENOMEM; + return NT_STATUS_NO_MEMORY; } (*db)->hdb_master_key_set = 0; (*db)->hdb_db = NULL; + nt_status = auth_system_session_info(*db, &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + /* The idea here is very simple. Using Kerberos to + * authenticate the KDC to the LDAP server is higly likely to + * be circular. + * + * In future we may set this up to use EXERNAL and SSL + * certificates, for now it will almost certainly be NTLMSSP + */ + + nt_status = cli_credentials_gensec_remove_oid(session_info->credentials, + GENSEC_OID_KERBEROS5); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + /* Setup the link to LDB */ - (*db)->hdb_db = samdb_connect(*db, system_session(db)); + (*db)->hdb_db = samdb_connect(*db, session_info); if ((*db)->hdb_db == NULL) { - krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!"); - krb5_set_error_string(context, "samdb_connect failed!"); - talloc_free(*db); - return HDB_ERR_NOENTRY; + DEBUG(1, ("hdb_ldb_create: Cannot open samdb for KDC backend!")); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } (*db)->hdb_openp = 0; @@ -1077,5 +1098,5 @@ krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, (*db)->hdb__del = NULL; (*db)->hdb_destroy = LDB_destroy; - return 0; + return NT_STATUS_OK; } diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index bcf7ed968c..7e165ae349 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -564,12 +564,10 @@ static void kdc_task_init(struct task_server *task) } kdc->config->num_db = 1; - ret = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, - &kdc->config->db[0], NULL); - if (ret != 0) { - DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n", - smb_get_krb5_error_message(kdc->smb_krb5_context->krb5_context, ret, kdc))); - task_server_terminate(task, "kdc: hdb_ldb_create failed"); + status = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, + &kdc->config->db[0], NULL); + if (!NT_STATUS_IS_OK(status)) { + task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed"); return; } diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h index 99c419d4d9..0cf3199c52 100644 --- a/source4/kdc/kdc.h +++ b/source4/kdc/kdc.h @@ -27,8 +27,14 @@ #include "heimdal/lib/hdb/hdb.h" #include "kdc/pac-glue.h" -krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, - krb5_context context, struct HDB **db, const char *arg); +NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, + krb5_context context, struct HDB **db, const char *arg); +BOOL kpasswdd_process(struct kdc_server *kdc, + TALLOC_CTX *mem_ctx, + DATA_BLOB *input, + DATA_BLOB *reply, + const char *from, + int src_port); /* top level context structure for the kdc server diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index bd4d3e6a2f..79e7b3c5a7 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -81,7 +81,7 @@ static krb5_error_code samba_get_pac(krb5_context context, } /* Wrap the PAC in the right ASN.1. Will always free 'pac', on success or failure */ -krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out) +static krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out) { krb5_error_code ret; @@ -144,7 +144,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData set, or if they specificaly asked not to get it. */ - krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex, +krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex, METHOD_DATA* pa_data_seq, time_t authtime, EncryptionKey *tgtkey, @@ -204,7 +204,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData /* Resign (and reform, including possibly new groups) a PAC */ - krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex, +krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex, krb5_principal client, AuthorizationData *in, time_t authtime, @@ -316,7 +316,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData /* Given an hdb entry (and in particular it's private member), consult * the account_ok routine in auth/auth_sam.c for consistancy */ - krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex, +krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex, HostAddresses *addresses) { krb5_error_code ret; |