From afb6ac247be9fa2e5e34dcf69e6b5ba557e19892 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 27 Jul 2009 13:48:45 +1000 Subject: s4:kdc Tidy up hdb_samba4 some more This removes the last use of the prefix hdb_ldb and makes it clear that we pass in 3 global variables to get state information into hdb_samba4 when used as a keytab. (And that they belong to hdb_samba4, not to the KDC) Andrew Bartlett --- source4/kdc/hdb-samba4.c | 66 ++++++++++++++++++++++++++++-------------------- source4/kdc/hdb-samba4.h | 35 +++++++++++++++++++++++++ source4/kdc/kdc.c | 30 ++++++++-------------- source4/kdc/kdc.h | 12 +-------- source4/kdc/pac-glue.c | 10 ++++---- 5 files changed, 90 insertions(+), 63 deletions(-) create mode 100644 source4/kdc/hdb-samba4.h diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index cadbe33af6..f5e2f59b56 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -53,7 +53,7 @@ #include "kdc/kdc.h" #include "../lib/crypto/md4.h" -enum hdb_ldb_ent_type +enum hdb_samba4_ent_type { HDB_SAMBA4_ENT_TYPE_CLIENT, HDB_SAMBA4_ENT_TYPE_SERVER, HDB_SAMBA4_ENT_TYPE_KRBTGT, HDB_SAMBA4_ENT_TYPE_TRUST, HDB_SAMBA4_ENT_TYPE_ANY }; @@ -93,7 +93,7 @@ static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, con return timegm(&tm); } -static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_ldb_ent_type ent_type) +static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_samba4_ent_type ent_type) { HDBFlags flags = int2HDBFlags(0); @@ -181,14 +181,14 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h return flags; } -static int hdb_ldb_destructor(struct hdb_ldb_private *p) +static int hdb_samba4_destructor(struct hdb_samba4_private *p) { hdb_entry_ex *entry_ex = p->entry_ex; free_hdb_entry(&entry_ex->entry); return 0; } -static void hdb_ldb_free_entry(krb5_context context, hdb_entry_ex *entry_ex) +static void hdb_samba4_free_entry(krb5_context context, hdb_entry_ex *entry_ex) { talloc_free(entry_ex->ctx); } @@ -487,7 +487,7 @@ out: static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, - enum hdb_ldb_ent_type ent_type, + enum hdb_samba4_ent_type ent_type, struct ldb_dn *realm_dn, struct ldb_message *msg, hdb_entry_ex *entry_ex) @@ -498,7 +498,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, krb5_boolean is_computer = FALSE; char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx)); - struct hdb_ldb_private *p; + struct hdb_samba4_private *p; NTTIME acct_expiry; NTSTATUS status; @@ -529,7 +529,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, goto out; } - p = talloc(mem_ctx, struct hdb_ldb_private); + p = talloc(mem_ctx, struct hdb_samba4_private); if (!p) { ret = ENOMEM; goto out; @@ -544,10 +544,10 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, goto out; } - talloc_set_destructor(p, hdb_ldb_destructor); + talloc_set_destructor(p, hdb_samba4_destructor); entry_ex->ctx = p; - entry_ex->free_entry = hdb_ldb_free_entry; + entry_ex->free_entry = hdb_samba4_free_entry; userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); @@ -746,12 +746,12 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB struct samr_Password password_hash; const struct ldb_val *password_val; struct trustAuthInOutBlob password_blob; - struct hdb_ldb_private *p; + struct hdb_samba4_private *p; enum ndr_err_code ndr_err; int i, ret, trust_direction_flags; - p = talloc(mem_ctx, struct hdb_ldb_private); + p = talloc(mem_ctx, struct hdb_samba4_private); if (!p) { ret = ENOMEM; goto out; @@ -762,10 +762,10 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB p->lp_ctx = lp_ctx; p->realm_dn = realm_dn; - talloc_set_destructor(p, hdb_ldb_destructor); + talloc_set_destructor(p, hdb_samba4_destructor); entry_ex->ctx = p; - entry_ex->free_entry = hdb_ldb_free_entry; + entry_ex->free_entry = hdb_samba4_free_entry; /* use 'whenCreated' */ entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0); @@ -1290,7 +1290,7 @@ static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_con return HDB_ERR_DB_INUSE; } -struct hdb_ldb_seq { +struct hdb_samba4_seq { struct ldb_context *ctx; struct loadparm_context *lp_ctx; int index; @@ -1302,7 +1302,7 @@ struct hdb_ldb_seq { static krb5_error_code hdb_samba4_seq(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) { krb5_error_code ret; - struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_dbc; + struct hdb_samba4_seq *priv = (struct hdb_samba4_seq *)db->hdb_dbc; TALLOC_CTX *mem_ctx; hdb_entry_ex entry_ex; memset(&entry_ex, '\0', sizeof(entry_ex)); @@ -1344,7 +1344,7 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db; struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), struct loadparm_context); - struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_dbc; + struct hdb_samba4_seq *priv = (struct hdb_samba4_seq *)db->hdb_dbc; char *realm; struct ldb_result *res = NULL; krb5_error_code ret; @@ -1356,7 +1356,7 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign db->hdb_dbc = NULL; } - priv = (struct hdb_ldb_seq *) talloc(db, struct hdb_ldb_seq); + priv = (struct hdb_samba4_seq *) talloc(db, struct hdb_samba4_seq); if (!priv) { ret = ENOMEM; krb5_set_error_message(context, ret, "talloc: out of memory"); @@ -1435,7 +1435,7 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD struct ldb_message *msg; struct dom_sid *orig_sid; struct dom_sid *target_sid; - struct hdb_ldb_private *p = talloc_get_type(entry->ctx, struct hdb_ldb_private); + struct hdb_samba4_private *p = talloc_get_type(entry->ctx, struct hdb_samba4_private); const char *delegation_check_attrs[] = { "objectSid", NULL }; @@ -1491,15 +1491,15 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD return ret; } -/* This interface is to be called by the KDC, which is expecting Samba +/* This interface is to be called by the KDC and libnet_keytab_dump, which is expecting Samba * calling conventions. It is also called by a wrapper - * (hdb_ldb_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb + * (hdb_samba4_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb * code */ -NTSTATUS kdc_hdb_samba4_create(TALLOC_CTX *mem_ctx, - struct tevent_context *ev_ctx, - struct loadparm_context *lp_ctx, - krb5_context context, struct HDB **db, const char *arg) +NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, + struct tevent_context *ev_ctx, + struct loadparm_context *lp_ctx, + krb5_context context, struct HDB **db) { NTSTATUS nt_status; struct auth_session_info *session_info; @@ -1532,7 +1532,7 @@ NTSTATUS kdc_hdb_samba4_create(TALLOC_CTX *mem_ctx, /* Setup the link to LDB */ (*db)->hdb_db = samdb_connect(*db, ev_ctx, lp_ctx, session_info); if ((*db)->hdb_db == NULL) { - DEBUG(1, ("hdb_ldb_create: Cannot open samdb for KDC backend!")); + DEBUG(1, ("hdb_samba4_create: Cannot open samdb for KDC backend!")); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -1560,15 +1560,25 @@ NTSTATUS kdc_hdb_samba4_create(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg) +static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg) { NTSTATUS nt_status; /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */ - nt_status = kdc_hdb_samba4_create(kdc_mem_ctx, kdc_ev_ctx, kdc_lp_ctx, - context, db, arg); + nt_status = hdb_samba4_create_kdc(hdb_samba4_mem_ctx, hdb_samba4_ev_ctx, hdb_samba4_lp_ctx, + context, db); if (NT_STATUS_IS_OK(nt_status)) { return 0; } return EINVAL; } + +/* Only used in the hdb-backed keytab code + * for a keytab of 'samba4:', to find + * kpasswd's key in the main DB, and to + * copy all the keys into a file (libnet_keytab_export) */ +struct hdb_method hdb_samba4 = { + .interface_version = HDB_INTERFACE_VERSION, + .prefix = "samba4", + .create = hdb_samba4_create +}; diff --git a/source4/kdc/hdb-samba4.h b/source4/kdc/hdb-samba4.h new file mode 100644 index 0000000000..3a377ddf0b --- /dev/null +++ b/source4/kdc/hdb-samba4.h @@ -0,0 +1,35 @@ +/* + Unix SMB/CIFS implementation. + + KDC structures + + Copyright (C) Andrew Tridgell 2005 + Copyright (C) Andrew Bartlett 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +extern TALLOC_CTX *hdb_samba4_mem_ctx; +extern struct tevent_context *hdb_samba4_ev_ctx; +extern struct loadparm_context *hdb_samba4_lp_ctx; +extern struct hdb_method hdb_samba4; + +struct hdb_samba4_private { + struct ldb_context *samdb; + struct smb_iconv_convenience *iconv_convenience; + struct loadparm_context *lp_ctx; + struct ldb_message *msg; + struct ldb_dn *realm_dn; + hdb_entry_ex *entry_ex; +}; diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index ad74e10227..28d8da9d9f 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -43,9 +43,9 @@ /* Disgusting hack to get a mem_ctx and lp_ctx into the hdb plugin, when * used as a keytab */ -TALLOC_CTX *kdc_mem_ctx; -struct tevent_context *kdc_ev_ctx; -struct loadparm_context *kdc_lp_ctx; +TALLOC_CTX *hdb_samba4_mem_ctx; +struct tevent_context *hdb_samba4_ev_ctx; +struct loadparm_context *hdb_samba4_lp_ctx; /* hold all the info needed to send a reply */ struct kdc_reply { @@ -659,14 +659,6 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, } -static struct hdb_method hdb_samba4 = { - .interface_version = HDB_INTERFACE_VERSION, - .prefix = "samba4", /* Only used in the hdb-backed keytab code - * for a keytab of 'samba4:', to find - * kpasswd's key in the main DB */ - .create = hdb_samba4_create -}; - /* startup the kdc task */ @@ -733,16 +725,20 @@ static void kdc_task_init(struct task_server *task) } kdc->config->num_db = 1; - status = kdc_hdb_samba4_create(kdc, task->event_ctx, task->lp_ctx, - kdc->smb_krb5_context->krb5_context, - &kdc->config->db[0], NULL); + status = hdb_samba4_create_kdc(kdc, task->event_ctx, task->lp_ctx, + kdc->smb_krb5_context->krb5_context, + &kdc->config->db[0]); if (!NT_STATUS_IS_OK(status)) { task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed"); return; } - /* Register hdb-samba4 hooks */ + + hdb_samba4_mem_ctx = kdc->smb_krb5_context; + hdb_samba4_ev_ctx = task->event_ctx; + hdb_samba4_lp_ctx = task->lp_ctx; + ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context, PLUGIN_TYPE_DATA, "hdb", &hdb_samba4); @@ -768,10 +764,6 @@ static void kdc_task_init(struct task_server *task) krb5_kdc_windc_init(kdc->smb_krb5_context->krb5_context); - kdc_mem_ctx = kdc->smb_krb5_context; - kdc_ev_ctx = task->event_ctx; - kdc_lp_ctx = task->lp_ctx; - /* start listening on the configured network interfaces */ status = kdc_startup_interfaces(kdc, task->lp_ctx, ifaces); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h index d37a32ebbf..a2bf412f2a 100644 --- a/source4/kdc/kdc.h +++ b/source4/kdc/kdc.h @@ -26,13 +26,11 @@ #include #include #include "kdc/pac_glue.h" +#include "kdc/hdb-samba4.h" struct kdc_server; struct socket_address; -extern TALLOC_CTX *kdc_mem_ctx; -extern struct tevent_context *kdc_ev_ctx; -extern struct loadparm_context *kdc_lp_ctx; bool kpasswdd_process(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, @@ -52,11 +50,3 @@ struct kdc_server { }; -struct hdb_ldb_private { - struct ldb_context *samdb; - struct smb_iconv_convenience *iconv_convenience; - struct loadparm_context *lp_ctx; - struct ldb_message *msg; - struct ldb_dn *realm_dn; - hdb_entry_ex *entry_ex; -}; diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 21ae7091a6..3dcdd4d439 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -103,7 +103,7 @@ static krb5_error_code make_pac(krb5_context context, return ret; } -/* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */ +/* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */ krb5_error_code samba_kdc_get_pac(void *priv, krb5_context context, struct hdb_entry_ex *client, @@ -112,7 +112,7 @@ krb5_error_code samba_kdc_get_pac(void *priv, krb5_error_code ret; NTSTATUS nt_status; struct auth_serversupplied_info *server_info; - struct hdb_ldb_private *p = talloc_get_type(client->ctx, struct hdb_ldb_private); + struct hdb_samba4_private *p = talloc_get_type(client->ctx, struct hdb_samba4_private); TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_get_pac context"); unsigned int userAccountControl; @@ -158,7 +158,7 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context, unsigned int userAccountControl; - struct hdb_ldb_private *p = talloc_get_type(server->ctx, struct hdb_ldb_private); + struct hdb_samba4_private *p = talloc_get_type(server->ctx, struct hdb_samba4_private); struct auth_serversupplied_info *server_info_out; @@ -241,14 +241,14 @@ krb5_error_code samba_kdc_check_client_access(void *priv, krb5_error_code ret; NTSTATUS nt_status; TALLOC_CTX *tmp_ctx; - struct hdb_ldb_private *p; + struct hdb_samba4_private *p; char *workstation = NULL; HostAddresses *addresses = req->req_body.addresses; int i; bool password_change; tmp_ctx = talloc_new(client_ex->ctx); - p = talloc_get_type(client_ex->ctx, struct hdb_ldb_private); + p = talloc_get_type(client_ex->ctx, struct hdb_samba4_private); if (!tmp_ctx) { return ENOMEM; -- cgit