mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB
This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
This commit is contained in:
parent
b50ab318c1
commit
56f4516399
@ -1563,8 +1563,14 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
|
|||||||
static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg)
|
static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg)
|
||||||
{
|
{
|
||||||
NTSTATUS nt_status;
|
NTSTATUS nt_status;
|
||||||
|
void *ptr;
|
||||||
|
struct hdb_samba4_context *hdb_samba4_context;
|
||||||
|
if (sscanf(arg, "&%p", &ptr) != 1) {
|
||||||
|
return EINVAL;
|
||||||
|
}
|
||||||
|
hdb_samba4_context = talloc_get_type_abort(ptr, struct hdb_samba4_context);
|
||||||
/* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */
|
/* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */
|
||||||
nt_status = hdb_samba4_create_kdc(hdb_samba4_mem_ctx, hdb_samba4_ev_ctx, hdb_samba4_lp_ctx,
|
nt_status = hdb_samba4_create_kdc(hdb_samba4_context, hdb_samba4_context->ev_ctx, hdb_samba4_context->lp_ctx,
|
||||||
context, db);
|
context, db);
|
||||||
|
|
||||||
if (NT_STATUS_IS_OK(nt_status)) {
|
if (NT_STATUS_IS_OK(nt_status)) {
|
||||||
@ -1574,9 +1580,12 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Only used in the hdb-backed keytab code
|
/* Only used in the hdb-backed keytab code
|
||||||
* for a keytab of 'samba4:', to find
|
* for a keytab of 'samba4&<address>', to find
|
||||||
* kpasswd's key in the main DB, and to
|
* kpasswd's key in the main DB, and to
|
||||||
* copy all the keys into a file (libnet_keytab_export) */
|
* copy all the keys into a file (libnet_keytab_export)
|
||||||
|
*
|
||||||
|
* The <address> is the string form of a pointer to a talloced struct hdb_samba_context
|
||||||
|
*/
|
||||||
struct hdb_method hdb_samba4 = {
|
struct hdb_method hdb_samba4 = {
|
||||||
.interface_version = HDB_INTERFACE_VERSION,
|
.interface_version = HDB_INTERFACE_VERSION,
|
||||||
.prefix = "samba4",
|
.prefix = "samba4",
|
||||||
|
@ -21,8 +21,12 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
extern TALLOC_CTX *hdb_samba4_mem_ctx;
|
extern TALLOC_CTX *hdb_samba4_mem_ctx;
|
||||||
extern struct tevent_context *hdb_samba4_ev_ctx;
|
|
||||||
extern struct loadparm_context *hdb_samba4_lp_ctx;
|
struct hdb_samba4_context {
|
||||||
|
struct tevent_context *ev_ctx;
|
||||||
|
struct loadparm_context *lp_ctx;
|
||||||
|
};
|
||||||
|
|
||||||
extern struct hdb_method hdb_samba4;
|
extern struct hdb_method hdb_samba4;
|
||||||
|
|
||||||
struct hdb_samba4_private {
|
struct hdb_samba4_private {
|
||||||
|
@ -729,15 +729,20 @@ static void kdc_task_init(struct task_server *task)
|
|||||||
kdc->smb_krb5_context->krb5_context,
|
kdc->smb_krb5_context->krb5_context,
|
||||||
&kdc->config->db[0]);
|
&kdc->config->db[0]);
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
|
task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Register hdb-samba4 hooks */
|
/* Register hdb-samba4 hooks for use as a keytab */
|
||||||
|
|
||||||
hdb_samba4_mem_ctx = kdc->smb_krb5_context;
|
kdc->hdb_samba4_context = talloc(kdc, struct hdb_samba4_context);
|
||||||
hdb_samba4_ev_ctx = task->event_ctx;
|
if (!kdc->hdb_samba4_context) {
|
||||||
hdb_samba4_lp_ctx = task->lp_ctx;
|
task_server_terminate(task, "kdc: out of memory");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
kdc->hdb_samba4_context->ev_ctx = task->event_ctx;
|
||||||
|
kdc->hdb_samba4_context->lp_ctx = task->lp_ctx;
|
||||||
|
|
||||||
ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
|
ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
|
||||||
PLUGIN_TYPE_DATA, "hdb",
|
PLUGIN_TYPE_DATA, "hdb",
|
||||||
|
@ -47,6 +47,7 @@ struct kdc_server {
|
|||||||
struct task_server *task;
|
struct task_server *task;
|
||||||
krb5_kdc_configuration *config;
|
krb5_kdc_configuration *config;
|
||||||
struct smb_krb5_context *smb_krb5_context;
|
struct smb_krb5_context *smb_krb5_context;
|
||||||
|
struct hdb_samba4_context *hdb_samba4_context;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -448,6 +448,8 @@ bool kpasswdd_process(struct kdc_server *kdc,
|
|||||||
struct gensec_security *gensec_security;
|
struct gensec_security *gensec_security;
|
||||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||||
|
|
||||||
|
char *keytab_name;
|
||||||
|
|
||||||
if (!tmp_ctx) {
|
if (!tmp_ctx) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -489,8 +491,12 @@ bool kpasswdd_process(struct kdc_server *kdc,
|
|||||||
* we already have, rather than a new context */
|
* we already have, rather than a new context */
|
||||||
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
|
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
|
||||||
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
|
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
|
||||||
nt_status = cli_credentials_set_stored_principal(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, "kadmin/changepw");
|
|
||||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->hdb_samba4_context);
|
||||||
|
|
||||||
|
cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
|
||||||
|
ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
|
||||||
|
if (ret != 0) {
|
||||||
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
|
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
|
||||||
KRB5_KPASSWD_HARDERROR,
|
KRB5_KPASSWD_HARDERROR,
|
||||||
talloc_asprintf(mem_ctx,
|
talloc_asprintf(mem_ctx,
|
||||||
|
@ -11,22 +11,7 @@ msDS-KeyVersionNumber: 1
|
|||||||
objectSid: ${DOMAINSID}
|
objectSid: ${DOMAINSID}
|
||||||
privateKeytab: ${SECRETS_KEYTAB}
|
privateKeytab: ${SECRETS_KEYTAB}
|
||||||
|
|
||||||
# A hook from our credentials system into HDB, as we must be on a KDC,
|
#Update a keytab for the external DNS server to use
|
||||||
# we can look directly into the database.
|
|
||||||
dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
|
|
||||||
objectClass: top
|
|
||||||
objectClass: secret
|
|
||||||
objectClass: kerberosSecret
|
|
||||||
flatname: ${DOMAIN}
|
|
||||||
realm: ${REALM}
|
|
||||||
sAMAccountName: krbtgt
|
|
||||||
objectSid: ${DOMAINSID}
|
|
||||||
servicePrincipalName: kadmin/changepw
|
|
||||||
krb5Keytab: HDB:samba4:${SAM_LDB}:
|
|
||||||
#The trailing : here is a HACK, but it matches the Heimdal format.
|
|
||||||
|
|
||||||
# A hook from our credentials system into HDB, as we must be on a KDC,
|
|
||||||
# we can look directly into the database.
|
|
||||||
dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
|
dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: secret
|
objectClass: secret
|
||||||
|
Loading…
Reference in New Issue
Block a user