r7988: Store the KVNO for the machine account, and set it up in the provision.

Andrew Bartlett

source/include/credentials.h

@@ -58,6 +58,7 @@ struct cli_credentials {
 
 	struct creds_CredentialState *netlogon_creds;
 	enum netr_SchannelType secure_channel_type;
+	int kvno;
 
 	/* We are flagged to get machine account details from the
 	 * secrets.ldb when we are asked for a username or password */

source/lib/credentials.c

@@ -504,6 +504,7 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
 		"realm",
 		"secureChannelType",
 		"ntPwdHash",
+		"msDS-KeyVersionNumber",
 		NULL
 	};
 	
@@ -594,6 +595,8 @@ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
 		cli_credentials_set_password(cred, password, CRED_SPECIFIED);
 	}
 
+	cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0));
+	
 	talloc_free(mem_ctx);
 	
 	return NT_STATUS_OK;
@@ -651,6 +654,25 @@ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_creden
 	return cred->secure_channel_type;
 }
 
+/** 
+ * Set Kerberos KVNO
+ */
+
+void cli_credentials_set_kvno(struct cli_credentials *cred,
+			      int kvno)
+{
+	cred->kvno = kvno;
+}
+
+/**
+ * Return Kerberos KVNO
+ */
+
+int cli_credentials_get_kvno(struct cli_credentials *cred)
+{
+	return cred->kvno;
+}
+
 /**
  * Fill in a credentials structure as the anonymous user
  */

source/setup/provision.ldif

@@ -617,6 +617,7 @@ isCriticalSystemObject: TRUE
 unicodePwd: ${JOINPASS}
 servicePrincipalName: HOST/${DNSNAME}
 servicePrincipalName: HOST/${NETBIOSNAME}
+msDS-KeyVersionNumber: 1
 
 dn: CN=krbtgt,CN=Users,${BASEDN}
 objectClass: top

source/setup/secrets.ldif

@@ -28,4 +28,4 @@ secureChannelType: 6
 sAMAccountName: ${NETBIOSNAME}$
 whenCreated: ${LDAPTIME}
 whenChanged: ${LDAPTIME}
-
+msDS-KeyVersionNumber: 1