summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/credentials/credentials_gensec.c47
-rw-r--r--source4/auth/gensec/gensec.c7
-rw-r--r--source4/kdc/config.mk1
-rw-r--r--source4/kdc/hdb-ldb.c43
-rw-r--r--source4/kdc/kdc.c10
-rw-r--r--source4/kdc/kdc.h10
-rw-r--r--source4/kdc/pac-glue.c8
7 files changed, 100 insertions, 26 deletions
diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c
index 077e4689ec..fcaa760ed4 100644
--- a/source4/auth/credentials/credentials_gensec.c
+++ b/source4/auth/credentials/credentials_gensec.c
@@ -24,8 +24,53 @@
const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds)
{
- if (!creds->gensec_list) {
+ if (!creds || !creds->gensec_list) {
return gensec_security_all();
}
return creds->gensec_list;
}
+
+static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds,
+ const struct gensec_security_ops *remove_mech)
+{
+ const struct gensec_security_ops **gensec_list;
+ const struct gensec_security_ops **new_gensec_list;
+ int i, j;
+
+ gensec_list = cli_credentials_gensec_list(creds);
+
+ for (i=0; gensec_list && gensec_list[i]; i++) {
+ /* noop */
+ }
+
+ new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1);
+ if (!new_gensec_list) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ j = 0;
+ for (i=0; gensec_list && gensec_list[i]; i++) {
+ if (gensec_list[i] != remove_mech) {
+ new_gensec_list[j] = gensec_list[i];
+ j++;
+ }
+ }
+ new_gensec_list[j] = NULL;
+
+ creds->gensec_list = new_gensec_list;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds,
+ const char *oid)
+{
+ const struct gensec_security_ops *gensec_by_oid;
+
+ gensec_by_oid = gensec_security_by_oid(NULL, oid);
+ if (!gensec_by_oid) {
+ return NT_STATUS_OK;
+ }
+
+ return cli_credentials_gensec_remove_mech(creds, gensec_by_oid);
+}
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 0d79cb892c..26f245787b 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -53,8 +53,8 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
return NULL;
}
-static const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
- const char *oid_string)
+const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
+ const char *oid_string)
{
int i, j;
const struct gensec_security_ops **backends;
@@ -805,6 +805,9 @@ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct
struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
{
+ if (!gensec_security) {
+ return NULL;
+ }
return gensec_security->credentials;
}
diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk
index 9e07ecab19..ef14f83893 100644
--- a/source4/kdc/config.mk
+++ b/source4/kdc/config.mk
@@ -3,6 +3,7 @@
#######################
# Start SUBSYSTEM KDC
[SUBSYSTEM::KDC]
+NOPROTO = YES
INIT_OBJ_FILES = \
kdc.o \
pac-glue.o \
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index e9c1855a10..9b1d673764 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -40,6 +40,7 @@
#include "lib/ldb/include/ldb_errors.h"
#include "system/iconv.h"
#include "librpc/gen_ndr/netlogon.h"
+#include "auth/auth.h"
enum hdb_ldb_ent_type
{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER,
@@ -588,7 +589,8 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
talloc_free(res);
return HDB_ERR_NOENTRY;
}
- *pmsg = talloc_steal(mem_ctx, res->msgs);
+ talloc_steal(mem_ctx, res->msgs);
+ *pmsg = res->msgs;
talloc_free(res);
return 0;
}
@@ -680,7 +682,7 @@ static krb5_error_code LDB_fetch_ex(krb5_context context, HDB *db, unsigned flag
const char *realm;
const struct ldb_dn *realm_dn;
- TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "LDB_fetch context");
+ TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context");
if (!mem_ctx) {
krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
@@ -1037,25 +1039,44 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
return 0;
}
-krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
- krb5_context context, struct HDB **db, const char *arg)
+NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx,
+ krb5_context context, struct HDB **db, const char *arg)
{
+ NTSTATUS nt_status;
+ struct auth_session_info *session_info;
*db = talloc(mem_ctx, HDB);
if (!*db) {
krb5_set_error_string(context, "malloc: out of memory");
- return ENOMEM;
+ return NT_STATUS_NO_MEMORY;
}
(*db)->hdb_master_key_set = 0;
(*db)->hdb_db = NULL;
+ nt_status = auth_system_session_info(*db, &session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ /* The idea here is very simple. Using Kerberos to
+ * authenticate the KDC to the LDAP server is higly likely to
+ * be circular.
+ *
+ * In future we may set this up to use EXERNAL and SSL
+ * certificates, for now it will almost certainly be NTLMSSP
+ */
+
+ nt_status = cli_credentials_gensec_remove_oid(session_info->credentials,
+ GENSEC_OID_KERBEROS5);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
/* Setup the link to LDB */
- (*db)->hdb_db = samdb_connect(*db, system_session(db));
+ (*db)->hdb_db = samdb_connect(*db, session_info);
if ((*db)->hdb_db == NULL) {
- krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!");
- krb5_set_error_string(context, "samdb_connect failed!");
- talloc_free(*db);
- return HDB_ERR_NOENTRY;
+ DEBUG(1, ("hdb_ldb_create: Cannot open samdb for KDC backend!"));
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
(*db)->hdb_openp = 0;
@@ -1077,5 +1098,5 @@ krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
(*db)->hdb__del = NULL;
(*db)->hdb_destroy = LDB_destroy;
- return 0;
+ return NT_STATUS_OK;
}
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index bcf7ed968c..7e165ae349 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -564,12 +564,10 @@ static void kdc_task_init(struct task_server *task)
}
kdc->config->num_db = 1;
- ret = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context,
- &kdc->config->db[0], NULL);
- if (ret != 0) {
- DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n",
- smb_get_krb5_error_message(kdc->smb_krb5_context->krb5_context, ret, kdc)));
- task_server_terminate(task, "kdc: hdb_ldb_create failed");
+ status = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context,
+ &kdc->config->db[0], NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
return;
}
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 99c419d4d9..0cf3199c52 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -27,8 +27,14 @@
#include "heimdal/lib/hdb/hdb.h"
#include "kdc/pac-glue.h"
-krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
- krb5_context context, struct HDB **db, const char *arg);
+NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx,
+ krb5_context context, struct HDB **db, const char *arg);
+BOOL kpasswdd_process(struct kdc_server *kdc,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *input,
+ DATA_BLOB *reply,
+ const char *from,
+ int src_port);
/*
top level context structure for the kdc server
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index bd4d3e6a2f..79e7b3c5a7 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -81,7 +81,7 @@ static krb5_error_code samba_get_pac(krb5_context context,
}
/* Wrap the PAC in the right ASN.1. Will always free 'pac', on success or failure */
-krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out)
+static krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out)
{
krb5_error_code ret;
@@ -144,7 +144,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
set, or if they specificaly asked not to get it.
*/
- krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex,
+krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex,
METHOD_DATA* pa_data_seq,
time_t authtime,
EncryptionKey *tgtkey,
@@ -204,7 +204,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
/* Resign (and reform, including possibly new groups) a PAC */
- krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex,
+krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex,
krb5_principal client,
AuthorizationData *in,
time_t authtime,
@@ -316,7 +316,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
/* Given an hdb entry (and in particular it's private member), consult
* the account_ok routine in auth/auth_sam.c for consistancy */
- krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex,
+krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex,
HostAddresses *addresses)
{
krb5_error_code ret;