summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth.h2
-rw-r--r--source4/auth/sam.c42
-rw-r--r--source4/kdc/hdb-samba4.c49
3 files changed, 62 insertions, 31 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 6bad017862..8a0f12efd8 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -23,6 +23,8 @@
#include "librpc/gen_ndr/ndr_krb5pac.h"
+extern const char *krbtgt_attrs[];
+extern const char *server_attrs[];
extern const char *user_attrs[];
union netr_Validation;
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index c396662c12..635d94242f 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -32,25 +32,37 @@
#include "param/param.h"
#include "auth/auth_sam.h"
-const char *user_attrs[] = {
- /* required for the krb5 kdc */
- "objectClass",
- "sAMAccountName",
- "userPrincipalName",
- "servicePrincipalName",
- "msDS-KeyVersionNumber",
- "supplementalCredentials",
+#define KRBTGT_ATTRS \
+ /* required for the krb5 kdc */ \
+ "objectClass", \
+ "sAMAccountName", \
+ "userPrincipalName", \
+ "servicePrincipalName", \
+ "msDS-KeyVersionNumber", \
+ "supplementalCredentials", \
+ \
+ /* passwords */ \
+ "dBCSPwd", \
+ "unicodePwd", \
+ \
+ "userAccountControl", \
+ "objectSid", \
+ \
+ "pwdLastSet", \
+ "accountExpires"
+
+const char *krbtgt_attrs[] = {
+ KRBTGT_ATTRS
+};
- /* passwords */
- "dBCSPwd",
- "unicodePwd",
+const char *server_attrs[] = {
+ KRBTGT_ATTRS
+};
- "userAccountControl",
+const char *user_attrs[] = {
+ KRBTGT_ATTRS,
- "pwdLastSet",
- "accountExpires",
"logonHours",
- "objectSid",
/* check 'allowed workstations' */
"userWorkstations",
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 25b0deb082..435282a0c1 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1044,11 +1044,10 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
int lret;
char *realm_fixed;
- const char * const *princ_attrs = user_attrs;
lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
realm_dn, LDB_SCOPE_SUBTREE,
- &msg, princ_attrs,
+ &msg, krbtgt_attrs,
"(&(objectClass=user)(samAccountName=krbtgt))");
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!");
@@ -1134,17 +1133,16 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db,
}
-static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
- struct loadparm_context *lp_ctx,
- TALLOC_CTX *mem_ctx,
- krb5_const_principal principal,
- unsigned flags,
- hdb_entry_ex *entry_ex)
+static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ const char **attrs,
+ struct ldb_dn **realm_dn,
+ struct ldb_message **msg)
{
krb5_error_code ret;
const char *realm;
- struct ldb_message *msg = NULL;
- struct ldb_dn *realm_dn;
if (principal->name.name_string.len >= 2) {
/* 'normal server' case */
int ldb_ret;
@@ -1164,7 +1162,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
* referral instead */
nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
mem_ctx, principal_string,
- &user_dn, &realm_dn);
+ &user_dn, realm_dn);
free(principal_string);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1174,7 +1172,7 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db,
mem_ctx,
user_dn, LDB_SCOPE_BASE,
- &msg, user_attrs,
+ msg, attrs,
"(objectClass=*)");
if (ldb_ret != LDB_SUCCESS) {
return HDB_ERR_NOENTRY;
@@ -1183,10 +1181,9 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
} else {
int lret;
char *filter = NULL;
- const char * const *princ_attrs = user_attrs;
char *short_princ;
/* server as client principal case, but we must not lookup userPrincipalNames */
- realm_dn = ldb_get_default_basedn(db->hdb_db);
+ *realm_dn = ldb_get_default_basedn(db->hdb_db);
realm = krb5_principal_get_realm(context, principal);
/* TODO: Check if it is our realm, otherwise give referall */
@@ -1200,8 +1197,8 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
}
lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx,
- realm_dn, LDB_SCOPE_SUBTREE,
- &msg, princ_attrs, "(&(objectClass=user)(samAccountName=%s))",
+ *realm_dn, LDB_SCOPE_SUBTREE,
+ msg, attrs, "(&(objectClass=user)(samAccountName=%s))",
ldb_binary_encode_string(mem_ctx, short_princ));
free(short_princ);
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
@@ -1215,6 +1212,26 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
}
}
+ return 0;
+}
+
+static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db,
+ struct loadparm_context *lp_ctx,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ unsigned flags,
+ hdb_entry_ex *entry_ex)
+{
+ krb5_error_code ret;
+ struct ldb_dn *realm_dn;
+ struct ldb_message *msg;
+
+ ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal,
+ server_attrs, &realm_dn, &msg);
+ if (ret != 0) {
+ return ret;
+ }
+
ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx,
principal, HDB_SAMBA4_ENT_TYPE_SERVER,
realm_dn, msg, entry_ex);