along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#define TEVENT_DEPRECATED 1
+
#include "includes.h"
#include "param/param.h"
#include "dsdb/samdb/samdb.h"
-#include "auth/auth.h"
-#include "auth/credentials/credentials.h"
#include "system/kerberos.h"
-#include "hdb.h"
+#include <hdb.h>
#include "mit_samba_interface.h"
#include "auth/kerberos/kerberos.h"
#include "kdc/samba_kdc.h"
static int mit_samba_context_init(struct mit_samba_context **_ctx)
{
+ NTSTATUS status;
struct mit_samba_context *ctx;
const char *s4_conf_file;
int ret;
-
+ struct samba_kdc_base_context base_ctx;
ctx = talloc(NULL, struct mit_samba_context);
if (!ctx) {
goto done;
}
- ctx->db_ctx = talloc_zero(ctx, struct samba_kdc_db_context);
- if (!ctx->db_ctx) {
- ret = ENOMEM;
- goto done;
- }
-
- ctx->db_ctx->ev_ctx = tevent_context_init(ctx);
- if (!ctx->db_ctx->ev_ctx) {
+ base_ctx.ev_ctx = tevent_context_init(ctx);
+ if (!base_ctx.ev_ctx) {
ret = ENOMEM;
goto done;
}
- ctx->db_ctx->lp_ctx = loadparm_init(ctx);
- if (!ctx->db_ctx->lp_ctx) {
+ tevent_loop_allow_nesting(base_ctx.ev_ctx);
+ base_ctx.lp_ctx = loadparm_init_global(false);
+ if (!base_ctx.lp_ctx) {
ret = ENOMEM;
goto done;
}
-
/* init s4 configuration */
- s4_conf_file = lpcfg_configfile(ctx->db_ctx->lp_ctx);
+ s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
if (s4_conf_file) {
- lpcfg_load(ctx->db_ctx->lp_ctx, s4_conf_file);
+ lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
} else {
- lpcfg_load_default(ctx->db_ctx->lp_ctx);
- }
-
- ctx->session_info = system_session(ctx->db_ctx->lp_ctx);
- if (!ctx->session_info) {
- ret = EFAULT;
- goto done;
+ lpcfg_load_default(base_ctx.lp_ctx);
}
- cli_credentials_set_kerberos_state(ctx->session_info->credentials,
- CRED_DONT_USE_KERBEROS);
-
- ctx->db_ctx->samdb = samdb_connect(ctx->db_ctx,
- ctx->db_ctx->ev_ctx,
- ctx->db_ctx->lp_ctx,
- ctx->session_info);
- if (!ctx->db_ctx->samdb) {
- ret = EFAULT;
+ status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = EINVAL;
goto done;
}
/* init heimdal's krb_context and log facilities */
ret = smb_krb5_init_context_basic(ctx,
- ctx->db_ctx->ev_ctx,
ctx->db_ctx->lp_ctx,
&ctx->context);
if (ret) {
}
ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
- principal, flags, hentry);
+ principal, flags, 0, hentry);
krb5_free_principal(ctx->context, principal);
goto done;
}
+ /* TODO: An implementation-specific decision will need to be
+ * made as to when to check the KDC pac signature, and how to
+ * untrust untrusted RODCs */
nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context,
- &pac, logon_blob);
+ pac, logon_blob, NULL, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Building PAC failed: %s\n",
nt_errstr(nt_status)));
const char *target_name,
bool is_nt_enterprise_name)
{
+#if 1
+ /*
+ * This is disabled because mit_samba_update_pac_data() does not handle
+ * S4U_DELEGATION_INFO
+ */
+
+ return KRB5KDC_ERR_BADOPTION;
+#else
krb5_principal target_principal;
int flags = 0;
int ret;
return ret;
}
- ret = samba_kdc_check_identical_client_and_server(ctx->context,
- ctx->db_ctx,
- entry,
- target_principal);
+ ret = samba_kdc_check_s4u2proxy(ctx->context,
+ ctx->db_ctx,
+ entry,
+ target_principal);
krb5_free_principal(ctx->context, target_principal);
return ret;
+#endif
}
struct mit_samba_function_table mit_samba_function_table = {