This was used in only 2 places, db-glue.c and the lsa server.
In db-glue.c it is awkward though, as it forces to use an unconvenient lsa
structure and conversions from time_t to nt_time only to have nt_times
converted back to time_t for actual use. This is silly.
Also the kdc-policy file was a single funciton library, that's just ridiculous.
The loadparm helper is all we need to keep the values consistent, and if we
ever end up doing something with group policies we will care about it when it's
the time. the code would have to change quite a lot anyway.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
#include <hdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/kdc-glue.h"
-#include "kdc/kdc-policy.h"
#include "kdc/db-glue.h"
#define SAMBA_KVNO_GET_KRBTGT(kvno) \
}
if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
- *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime);
+ *entry_ex->entry.max_life = kdc_db_ctx->policy.svc_tkt_lifetime;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
- *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime);
+ *entry_ex->entry.max_life = kdc_db_ctx->policy.usr_tkt_lifetime;
} else {
- *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime),
- nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime));
+ *entry_ex->entry.max_life = MIN(kdc_db_ctx->policy.svc_tkt_lifetime,
+ kdc_db_ctx->policy.usr_tkt_lifetime);
}
entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
goto out;
}
- *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime);
+ *entry_ex->entry.max_renew = kdc_db_ctx->policy.renewal_lifetime;
entry_ex->entry.generation = NULL;
kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
- kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy);
+ /* get default kdc policy */
+ lpcfg_default_kdc_policy(base_ctx->lp_ctx,
+ &kdc_db_ctx->policy.svc_tkt_lifetime,
+ &kdc_db_ctx->policy.usr_tkt_lifetime,
+ &kdc_db_ctx->policy.renewal_lifetime);
session_info = system_session(kdc_db_ctx->lp_ctx);
if (session_info == NULL) {
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
-
- KDC Policy
-
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-struct lsa_DomainInfoKerberos;
-struct loadparm_context;
-struct smb_krb5_context;
-#include "kdc/kdc-policy-proto.h"
+++ /dev/null
-/*
- Unix SMB/CIFS implementation.
-
- KDC Policy
-
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "param/param.h"
-#include "kdc/kdc-policy.h"
-
-void kdc_get_policy(struct loadparm_context *lp_ctx,
- struct smb_krb5_context *smb_krb5_context,
- struct lsa_DomainInfoKerberos *k)
-{
- time_t svc_tkt_lifetime;
- time_t usr_tkt_lifetime;
- time_t renewal_lifetime;
-
- /* These should be set and stored via Group Policy, but until then, some defaults are in order */
-
- /* Our KDC always re-validates the client */
- k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
-
- lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime,
- &usr_tkt_lifetime, &renewal_lifetime);
-
- unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
- unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime);
- unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime);
- if (smb_krb5_context) {
- unix_to_nt_time(&k->clock_skew,
- krb5_get_max_time_skew(smb_krb5_context->krb5_context));
- }
- k->reserved = 0;
-}
#ifndef _SAMBA_KDC_H_
#define _SAMBA_KDC_H_
+struct samba_kdc_policy {
+ time_t svc_tkt_lifetime;
+ time_t usr_tkt_lifetime;
+ time_t renewal_lifetime;
+};
+
struct samba_kdc_base_context {
struct tevent_context *ev_ctx;
struct loadparm_context *lp_ctx;
bool rodc;
unsigned int my_krbtgt_number;
struct ldb_dn *krbtgt_dn;
- struct lsa_DomainInfoKerberos policy;
+ struct samba_kdc_policy policy;
};
struct samba_kdc_entry {
bld.SAMBA_LIBRARY('db-glue',
source='db-glue.c',
- deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err kdc-policy',
+ deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err',
private_library=True,
includes='../heimdal/kdc',
)
-bld.SAMBA_LIBRARY('kdc-policy',
- source='policy.c',
- deps='samba-hostconfig authkrb5',
- private_library=True,
- autoproto = 'kdc-policy-proto.h'
- )
-
-
bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
source='mit_samba.c',
deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue PAC_GLUE samba-hostconfig com_err'
#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "libcli/security/session.h"
-#include "kdc/kdc-policy.h"
#include "libcli/lsarpc/util_lsarpc.h"
/*
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
+static void kdc_get_policy(struct loadparm_context *lp_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ struct lsa_DomainInfoKerberos *k)
+{
+ time_t svc_tkt_lifetime;
+ time_t usr_tkt_lifetime;
+ time_t renewal_lifetime;
+
+ /* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+ /* Our KDC always re-validates the client */
+ k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+ lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime,
+ &usr_tkt_lifetime, &renewal_lifetime);
+
+ unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
+ unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime);
+ unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime);
+ if (smb_krb5_context) {
+ unix_to_nt_time(&k->clock_skew,
+ krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+ }
+ k->reserved = 0;
+}
/*
lsa_QueryDomainInformationPolicy
*/
autoproto='lsa/proto.h',
subsystem='dcerpc_server',
init_function='dcerpc_server_lsa_init',
- deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security kdc-policy UTIL_LSARPC'
+ deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security UTIL_LSARPC'
)