s4:kdc: Update to match updated Heimdal's new HDB version

Including updates to hook into the improved hdb_auth_status
by Stefan Metzmacher <metze@samba.org> from his Heimdal
upgrade branch.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

8 files changed, 86 insertions, 46 deletions

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 22106bf8665..06b8eeec41d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -235,8 +235,12 @@ static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountCon
 		flags.require_preauth = 0;
 	} else {
 		flags.require_preauth = 1;
+	}
 
+	if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
+		flags.no_auth_data_reqd = 1;
 	}
+
 	return flags;
 }
 
@@ -2540,9 +2544,9 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
  * the time the principal was presented to the KDC.
  */
 krb5_error_code
-samba_kdc_check_s4u2self(krb5_context context,
-			 struct samba_kdc_entry *skdc_entry_client,
-			 struct samba_kdc_entry *skdc_entry_server_target)
+samba_kdc_check_client_matches_target_service(krb5_context context,
+					      struct samba_kdc_entry *skdc_entry_client,
+					      struct samba_kdc_entry *skdc_entry_server_target)
 {
 	struct dom_sid *orig_sid;
 	struct dom_sid *target_sid;
diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h
index cadfac1deb8..4defca2320c 100644
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -39,7 +39,7 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
 				  struct sdb_entry_ex *entry);
 
 krb5_error_code
-samba_kdc_check_s4u2self(krb5_context context,
+samba_kdc_check_client_matches_target_service(krb5_context context,
 			 struct samba_kdc_entry *skdc_entry_client,
 			 struct samba_kdc_entry *skdc_entry_server_target);
 
diff --git a/source4/kdc/hdb-samba4-plugin.c b/source4/kdc/hdb-samba4-plugin.c
index 6f76124995d..9dc4784f379 100644
--- a/source4/kdc/hdb-samba4-plugin.c
+++ b/source4/kdc/hdb-samba4-plugin.c
@@ -72,7 +72,7 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db,
 	return EINVAL;
 }
 
-#if (HDB_INTERFACE_VERSION != 8 && HDB_INTERFACE_VERSION != 7)
+#if (HDB_INTERFACE_VERSION != 11)
 #error "Unsupported Heimdal HDB version"
 #endif
 
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 92bc5ff28a6..9132bb46212 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -83,9 +83,13 @@ static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned
 	return HDB_ERR_DB_INUSE;
 }
 
-static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal)
+/*
+ * If we ever want kadmin to work fast, we might try and reopen the
+ * ldb with LDB_NOSYNC
+ */
+static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync)
 {
-	return HDB_ERR_DB_INUSE;
+	return 0;
 }
 
 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
@@ -273,7 +277,7 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
 }
 
 static krb5_error_code
-hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
+hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
 			  hdb_entry_ex *client_entry,
 			  hdb_entry_ex *server_target_entry)
 {
@@ -284,9 +288,9 @@ hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
 		= talloc_get_type_abort(server_target_entry->ctx,
 					struct samba_kdc_entry);
 
-	return samba_kdc_check_s4u2self(context,
-					skdc_client_entry,
-					skdc_server_target_entry);
+	return samba_kdc_check_client_matches_target_service(context,
+							     skdc_client_entry,
+							     skdc_server_target_entry);
 }
 
 static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
@@ -365,13 +369,15 @@ static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
 				       irpc_handle, &req);
 }
 
-static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
+static krb5_error_code hdb_samba4_auth_status(krb5_context context,
+					      HDB *db,
 					      hdb_entry_ex *entry,
-					      struct sockaddr *from_addr,
-					      struct timeval *start_time,
+					      const struct timeval *start_time,
+					      const struct sockaddr *from_addr,
 					      const char *original_client_name,
-					      const char *auth_type,
-					      int hdb_auth_status)
+					      int hdb_auth_status,
+					      const char *auth_details,
+					      const char *pa_type)
 {
 	struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 									struct samba_kdc_db_context);
@@ -392,8 +398,8 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 			.domain_name = NULL,
 		},
 		.service_description = "Kerberos KDC",
-		.auth_description = "ENC-TS Pre-authentication",
-		.password_type = auth_type,
+		.auth_description = "Unknown Auth Description",
+		.password_type = auth_details,
 		.logon_id = logon_id
 	};
 
@@ -411,7 +417,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 	}
 
 	switch (hdb_auth_status) {
-	case HDB_AUTHZ_SUCCESS:
+	case HDB_AUTHSTATUS_AUTHORIZATION_SUCCESS:
 	{
 		TALLOC_CTX *frame = talloc_stackframe();
 		struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
@@ -431,10 +437,13 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 		talloc_free(frame);
 		break;
 	}
-	case HDB_AUTH_INVALID_SIGNATURE:
-		break;
-	case HDB_AUTH_CORRECT_PASSWORD:
-	case HDB_AUTH_WRONG_PASSWORD:
+	case HDB_AUTHSTATUS_CLIENT_LOCKED_OUT:
+	case HDB_AUTHSTATUS_CORRECT_PASSWORD:
+	case HDB_AUTHSTATUS_WRONG_PASSWORD:
+	case HDB_AUTHSTATUS_GENERIC_SUCCESS:
+	case HDB_AUTHSTATUS_GENERIC_FAILURE:
+	case HDB_AUTHSTATUS_PKINIT_SUCCESS:
+	case HDB_AUTHSTATUS_PKINIT_FAILURE:
 	{
 		TALLOC_CTX *frame = talloc_stackframe();
 		struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
@@ -445,6 +454,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 			= ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
 		const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
 		struct tsocket_address *remote_host;
+		const char *auth_description = NULL;
 		NTSTATUS status;
 		int ret;
 
@@ -460,7 +470,19 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 		ui.mapped.account_name = account_name;
 		ui.mapped.domain_name = domain_name;
 
-		if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
+		if (pa_type != NULL) {
+			auth_description = talloc_asprintf(frame,
+							   "%s Pre-authentication",
+							   pa_type);
+			if (auth_description == NULL) {
+				auth_description = pa_type;
+			}
+		} else {
+			auth_description = "Unknown Pre-authentication";
+		}
+		ui.auth_description = auth_description;
+
+		if (hdb_auth_status == HDB_AUTHSTATUS_WRONG_PASSWORD) {
 			authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
 			status = NT_STATUS_WRONG_PASSWORD;
 			/*
@@ -471,8 +493,20 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 			if (kdc_db_ctx->rodc) {
 				send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
 			}
-		} else {
+		} else if (hdb_auth_status == HDB_AUTHSTATUS_CLIENT_LOCKED_OUT) {
+			status = NT_STATUS_ACCOUNT_LOCKED_OUT;
+		} else if (hdb_auth_status == HDB_AUTHSTATUS_CORRECT_PASSWORD) {
+			status = NT_STATUS_OK;
+		} else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_SUCCESS) {
+			status = NT_STATUS_OK;
+		} else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_FAILURE) {
+			status = NT_STATUS_GENERIC_COMMAND_FAILED;
+		} else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_SUCCESS) {
 			status = NT_STATUS_OK;
+		} else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_FAILURE) {
+			status = NT_STATUS_PKINIT_FAILURE;
+		} else {
+			status = NT_STATUS_INTERNAL_ERROR;
 		}
 
 		log_authentication_event(kdc_db_ctx->msg_ctx,
@@ -486,7 +520,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 		TALLOC_FREE(frame);
 		break;
 	}
-	case HDB_AUTH_CLIENT_UNKNOWN:
+	case HDB_AUTHSTATUS_CLIENT_UNKNOWN:
 	{
 		struct tsocket_address *remote_host;
 		int ret;
@@ -500,6 +534,12 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 			ui.remote_host = remote_host;
 		}
 
+		if (pa_type == NULL) {
+			pa_type = "AS-REQ";
+		}
+
+		ui.auth_description = pa_type;
+
 		log_authentication_event(kdc_db_ctx->msg_ctx,
 					 kdc_db_ctx->lp_ctx,
 					 start_time,
@@ -552,11 +592,11 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
 	(*db)->hdb_close = hdb_samba4_close;
 	(*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
 	(*db)->hdb_store = hdb_samba4_store;
-	(*db)->hdb_remove = hdb_samba4_remove;
 	(*db)->hdb_firstkey = hdb_samba4_firstkey;
 	(*db)->hdb_nextkey = hdb_samba4_nextkey;
 	(*db)->hdb_lock = hdb_samba4_lock;
 	(*db)->hdb_unlock = hdb_samba4_unlock;
+	(*db)->hdb_set_sync = hdb_samba4_set_sync;
 	(*db)->hdb_rename = hdb_samba4_rename;
 	/* we don't implement these, as we are not a lockable database */
 	(*db)->hdb__get = NULL;
@@ -568,7 +608,7 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
 	(*db)->hdb_auth_status = hdb_samba4_auth_status;
 	(*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
 	(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
-	(*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
+	(*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
 
 	return NT_STATUS_OK;
 }
diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c
index a64827d0309..c6cc61ad02d 100644
--- a/source4/kdc/kdc-glue.c
+++ b/source4/kdc/kdc-glue.c
@@ -52,11 +52,7 @@ int kdc_check_pac(krb5_context context,
 		}
 	}
 
-#if HDB_ENCTYPE2KEY_TAKES_KEYSET
 	ret = hdb_enctype2key(context, &ent->entry, NULL, etype, &key);
-#else
-	ret = hdb_enctype2key(context, &ent->entry, etype, &key);
-#endif
 
 	if (ret != 0) {
 		return ret;
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index a9115ec23d7..17f06cf81a8 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -64,12 +64,12 @@ struct SDBFlags {
 	unsigned int allow_kerberos4:1;
 	unsigned int allow_digest:1;
 	unsigned int locked_out:1;
-	unsigned int _unused18:1;
-	unsigned int _unused19:1;
-	unsigned int _unused20:1;
-	unsigned int _unused21:1;
-	unsigned int _unused22:1;
-	unsigned int _unused23:1;
+	unsigned int require_pwchange:1;
+	unsigned int materialize:1;
+	unsigned int virtual_keys:1;
+	unsigned int virtual:1;
+	unsigned int synthetic:1;
+	unsigned int no_auth_data_reqd:1;
 	unsigned int _unused24:1;
 	unsigned int _unused25:1;
 	unsigned int _unused26:1;
diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index 66ee763dd60..4ae3f26a947 100644
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -51,12 +51,12 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s,
 	h->allow_kerberos4 = s->allow_kerberos4;
 	h->allow_digest = s->allow_digest;
 	h->locked_out = s->locked_out;
-	h->_unused18 = s->_unused18;
-	h->_unused19 = s->_unused19;
-	h->_unused20 = s->_unused20;
-	h->_unused21 = s->_unused21;
-	h->_unused22 = s->_unused22;
-	h->_unused23 = s->_unused23;
+	h->require_pwchange = s->require_pwchange;
+	h->materialize = s->materialize;
+	h->virtual_keys = s->virtual_keys;
+	h->virtual = s->virtual;
+	h->synthetic = s->synthetic;
+	h->no_auth_data_reqd = s->no_auth_data_reqd;
 	h->_unused24 = s->_unused24;
 	h->_unused25 = s->_unused25;
 	h->_unused26 = s->_unused26;
@@ -175,7 +175,7 @@ static int sdb_event_to_Event(krb5_context context,
 
 static int sdb_entry_to_hdb_entry(krb5_context context,
 				  const struct sdb_entry *s,
-				  struct hdb_entry *h)
+				  hdb_entry *h)
 {
 	unsigned int i;
 	int rc;
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index c1e8780f5d3..6a5565d511e 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -213,7 +213,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
 				return ret;
 			}
 		}
-		ret = hdb_enctype2key(context, &krbtgt->entry, etype, &key);
+		ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key);
 		if (ret != 0) {
 			talloc_free(mem_ctx);
 			return ret;