From 2b858c69391b2d64f19291eb349cb5ba9e48045b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 9 Nov 2009 21:38:49 +1100 Subject: s4-hdb: go back to a separate samdb for the KDC The change to use a common system_session broke replication as the KDC forces CRED_DONT_USE_KERBEROS on session->credentials, which is shared with other parts of the system. This should be fixed once we confirm whether the ldap backend actually relies on CRED_DONT_USE_KERBEROS --- source4/kdc/hdb-samba4.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'source4/kdc') diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 12f354409e..2418e5c63f 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -1585,6 +1585,8 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, krb5_context context, struct HDB **db) { struct auth_session_info *session_info; + NTSTATUS nt_status; + *db = talloc(mem_ctx, HDB); if (!*db) { krb5_set_error_message(context, ENOMEM, "malloc: out of memory"); @@ -1595,17 +1597,30 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, (*db)->hdb_db = NULL; (*db)->hdb_capability_flags = 0; +#if 1 + /* we would prefer to use system_session(), as that would + * allow us to share the samdb backend context with other parts of the + * system. For now we can't as we need to override the + * credentials to set CRED_DONT_USE_KERBEROS, which would + * break other users of the system_session */ + DEBUG(0,("FIXME: Using new system session for hdb\n")); + nt_status = auth_system_session_info(*db, lp_ctx, &session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } +#else session_info = system_session(lp_ctx); if (session_info == NULL) { return NT_STATUS_INTERNAL_ERROR; } +#endif /* The idea here is very simple. Using Kerberos to * authenticate the KDC to the LDAP server is higly likely to * be circular. * * In future we may set this up to use EXERNAL and SSL - * certificates, for now it will almost certainly be NTLMSSP + * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME */ cli_credentials_set_kerberos_state(session_info->credentials, -- cgit