s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE.

This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

source4/kdc/kdc-glue.c

@@ -0,0 +1,69 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   PAC Glue between Samba and the KDC
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
+   Copyright (C) Simo Sorce <idra@samba.org> 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include <hdb.h>
+#include "kdc/samba_kdc.h"
+#include "kdc/pac-glue.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
+#include "auth/kerberos/pac_utils.h"
+#include "kdc/kdc-glue.h"
+
+int kdc_check_pac(krb5_context context,
+		  DATA_BLOB srv_sig,
+		  struct PAC_SIGNATURE_DATA *kdc_sig,
+		  struct hdb_entry_ex *ent)
+{
+	krb5_enctype etype;
+	int ret;
+	krb5_keyblock keyblock;
+	Key *key;
+
+	if (kdc_sig->type == CKSUMTYPE_HMAC_MD5) {
+		etype = ENCTYPE_ARCFOUR_HMAC;
+	} else {
+		ret = krb5_cksumtype_to_enctype(context,
+						kdc_sig->type,
+						&etype);
+		if (ret != 0) {
+			return ret;
+		}
+	}
+
+#if HDB_ENCTYPE2KEY_TAKES_KEYSET
+	ret = hdb_enctype2key(context, &ent->entry, NULL, etype, &key);
+#else
+	ret = hdb_enctype2key(context, &ent->entry, etype, &key);
+#endif
+
+	if (ret != 0) {
+		return ret;
+	}
+
+	keyblock = key->key;
+
+	return check_pac_checksum(srv_sig, kdc_sig,
+				 context, &keyblock);
+}

source4/kdc/kdc-glue.h

@@ -81,4 +81,9 @@ NTSTATUS kdc_tcp_proxy_recv(struct tevent_req *req,
 			    TALLOC_CTX *mem_ctx,
 			    DATA_BLOB *out);
 
+/* from kdc-glue.c */
+int kdc_check_pac(krb5_context krb5_context,
+		  DATA_BLOB server_sig,
+		  struct PAC_SIGNATURE_DATA *kdc_sig,
+		  hdb_entry_ex *ent);
 #endif

source4/kdc/pac-glue.c

@@ -430,42 +430,3 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 	talloc_free(tmp_ctx);
 	return nt_status;
 }
-
-int kdc_check_pac(krb5_context context,
-		  DATA_BLOB srv_sig,
-		  struct PAC_SIGNATURE_DATA *kdc_sig,
-		  hdb_entry_ex *ent)
-{
-	krb5_enctype etype;
-	int ret;
-	krb5_keyblock keyblock;
-	Key *key;
-	if (kdc_sig->type == CKSUMTYPE_HMAC_MD5) {
-		etype = ENCTYPE_ARCFOUR_HMAC;
-	} else {
-		ret = krb5_cksumtype_to_enctype(context, 
-						kdc_sig->type,
-						&etype);
-		if (ret != 0) {
-			return ret;
-		}
-	}
-
-#if HDB_ENCTYPE2KEY_TAKES_KEYSET
-	ret = hdb_enctype2key(context, &ent->entry, NULL, etype, &key);
-#else
-	ret = hdb_enctype2key(context, &ent->entry, etype, &key);
-#endif
-
-	if (ret != 0) {
-		return ret;
-	}
-
-	keyblock = key->key;
-
-	return check_pac_checksum(srv_sig, kdc_sig,
-				 context, &keyblock);
-}
-
-
-

source4/kdc/pac-glue.h

@@ -55,7 +55,3 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 				       const char *client_name,
 				       const char *workstation,
 				       bool password_change);
-int kdc_check_pac(krb5_context krb5_context,
-		  DATA_BLOB server_sig,
-		  struct PAC_SIGNATURE_DATA *kdc_sig,
-		  hdb_entry_ex *ent);

source4/kdc/wscript_build

@@ -7,12 +7,22 @@ else:
     kdc_include = getattr(bld.env, "CPPPATH_KDC")
 
 bld.SAMBA_MODULE('service_kdc',
-	source='kdc.c kpasswdd.c proxy.c',
-	subsystem='service',
-	init_function='server_service_kdc_init',
-	deps='kdc HDB_SAMBA4 WDC_SAMBA4 samba-hostconfig LIBTSOCKET LIBSAMBA_TSOCKET com_err samba_server_gensec PAC_GLUE',
-	internal_module=False,
-	)
+                 source='kdc.c kpasswdd.c proxy.c',
+                 subsystem='service',
+                 init_function='server_service_kdc_init',
+                 deps='''
+                      kdc
+                      HDB_SAMBA4
+                      WDC_SAMBA4
+                      samba-hostconfig
+                      LIBTSOCKET
+                      LIBSAMBA_TSOCKET
+                      com_err
+                      samba_server_gensec
+                      PAC_GLUE
+                      KDC-GLUE
+                 ''',
+                 internal_module=False)
 
 
 bld.SAMBA_LIBRARY('HDB_SAMBA4',
@@ -34,10 +44,17 @@ bld.SAMBA_LIBRARY('HDB_SAMBA4_PLUGIN',
                   enabled = (bld.CONFIG_SET("USING_SYSTEM_KRB5") and bld.CONFIG_SET("USING_SYSTEM_HDB"))
                   )
 
+bld.SAMBA_SUBSYSTEM('KDC-GLUE',
+	source='kdc-glue.c',
+        includes=kdc_include,
+	deps='hdb PAC_GLUE',
+	enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL')
+	)
+
 bld.SAMBA_SUBSYSTEM('WDC_SAMBA4',
 	source='wdc-samba4.c',
         includes=kdc_include,
-	deps='ldb auth4_sam auth_sam_reply samba-credentials hdb PAC_GLUE samba-hostconfig com_err',
+	deps='ldb auth4_sam auth_sam_reply samba-credentials hdb PAC_GLUE samba-hostconfig com_err KDC-GLUE',
 	enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL')
 	)