diff options
| author | Günther Deschner <gd@samba.org> | 2014-05-08 17:13:04 +0200 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2015-07-30 13:29:27 +0200 |
| commit | d49b4aafa81d121e9122f84b0e66fb566d70c3e9 (patch) | |
| tree | 5a4a5315e2777492109e8128905fd3d20db3543d /source4 | |
| parent | 99d3719e7d3073989442cffe635c3ac7a0bc200c (diff) | |
| download | samba-d49b4aafa81d121e9122f84b0e66fb566d70c3e9.tar.gz | |
s4-kdc: Use sdb in db-glue and hdb-samba4
Guenther
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/kdc/db-glue.c | 198 | ||||
| -rw-r--r-- | source4/kdc/db-glue.h | 8 | ||||
| -rw-r--r-- | source4/kdc/hdb-samba4.c | 49 | ||||
| -rwxr-xr-x | source4/kdc/wscript_build | 4 |
4 files changed, 138 insertions, 121 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 0825f5946bc..af9fa268b32 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -32,7 +32,7 @@ #include "../lib/crypto/md4.h" #include "system/kerberos.h" #include "auth/kerberos/kerberos.h" -#include <hdb.h> +#include "kdc/sdb.h" #include "kdc/samba_kdc.h" #include "kdc/db-glue.h" @@ -84,9 +84,9 @@ static time_t ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const cha return timegm(&tm); } -static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type) +static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type) { - HDBFlags flags = int2HDBFlags(0); + struct SDBFlags flags = int2SDBFlags(0); /* we don't allow kadmin deletes */ flags.immutable = 1; @@ -189,25 +189,13 @@ static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, e static int samba_kdc_entry_destructor(struct samba_kdc_entry *p) { if (p->entry_ex != NULL) { - hdb_entry_ex *entry_ex = p->entry_ex; - free_hdb_entry(&entry_ex->entry); + struct sdb_entry_ex *entry_ex = p->entry_ex; + free_sdb_entry(&entry_ex->entry); } return 0; } -static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex) -{ - /* this function is called only from hdb_free_entry(). - * Make sure we neutralize the destructor or we will - * get a double free later when hdb_free_entry() will - * try to call free_hdb_entry() */ - talloc_set_destructor(entry_ex->ctx, NULL); - - /* now proceed to free the talloc part */ - talloc_free(entry_ex->ctx); -} - static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, TALLOC_CTX *mem_ctx, @@ -216,7 +204,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, bool is_rodc, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type, - hdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex) { krb5_error_code ret = 0; enum ndr_err_code ndr_err; @@ -377,7 +365,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, if (kdc_db_ctx->rodc) { /* We are on an RODC, but don't have keys for this account. Signal this to the caller */ /* TODO: We need to call a generalised version of auth_sam_trigger_repl_secret from here */ - return HDB_ERR_NOT_FOUND_HERE; + return SDB_ERR_NOT_FOUND_HERE; } /* oh, no password. Apparently (comment in @@ -388,17 +376,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, /* allocate space to decode into */ entry_ex->entry.keys.len = 0; - entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key)); + entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(struct sdb_key)); if (entry_ex->entry.keys.val == NULL) { ret = ENOMEM; goto out; } if (hash && (supported_enctypes & ENC_RC4_HMAC_MD5)) { - Key key; - - key.mkvno = 0; - key.salt = NULL; /* No salt for this enc type */ + struct sdb_key key = {}; ret = smb_krb5_keyblock_init_contents(context, ENCTYPE_ARCFOUR_HMAC, @@ -415,7 +400,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, if (pkb4) { for (i=0; i < pkb4->num_keys; i++) { - Key key; + struct sdb_key key = {}; if (!pkb4->keys[i].value) continue; @@ -423,9 +408,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, continue; } - key.mkvno = 0; - key.salt = NULL; - if (pkb4->salt.string) { DATA_BLOB salt; @@ -464,7 +446,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } if (ret) { if (key.salt) { - free_Salt(key.salt); + kerberos_free_data_contents(context, &key.salt->salt); free(key.salt); key.salt = NULL; } @@ -476,7 +458,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } } else if (pkb3) { for (i=0; i < pkb3->num_keys; i++) { - Key key; + struct sdb_key key = {}; if (!pkb3->keys[i].value) continue; @@ -484,9 +466,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, continue; } - key.mkvno = 0; - key.salt = NULL; - if (pkb3->salt.string) { DATA_BLOB salt; @@ -517,7 +496,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, &key.key); if (ret) { if (key.salt) { - free_Salt(key.salt); + kerberos_free_data_contents(context, &key.salt->salt); free(key.salt); key.salt = NULL; } @@ -605,7 +584,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, unsigned flags, struct ldb_dn *realm_dn, struct ldb_message *msg, - hdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex) { struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; uint32_t userAccountControl; @@ -651,7 +630,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, } p->kdc_db_ctx = kdc_db_ctx; - p->entry_ex = entry_ex; p->realm_dn = talloc_reference(p, realm_dn); if (!p->realm_dn) { ret = ENOMEM; @@ -660,11 +638,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, talloc_set_destructor(p, samba_kdc_entry_destructor); - /* make sure we do not have bogus data in there */ - memset(&entry_ex->entry, 0, sizeof(hdb_entry)); - entry_ex->ctx = p; - entry_ex->free_entry = samba_kdc_free_entry; userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); @@ -701,7 +675,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, */ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { - if (flags & (HDB_F_CANON)) { + if (flags & (SDB_F_CANON)) { /* * When requested to do so, ensure that the * both realm values in the principal are set @@ -738,9 +712,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, krb5_clear_error_message(context); goto out; } - } else if (flags & HDB_F_CANON && flags & HDB_F_FOR_AS_REQ) { + } else if (flags & SDB_F_CANON && flags & SDB_F_FOR_AS_REQ) { /* - * HDB_F_CANON maps from the canonicalize flag in the + * SDB_F_CANON maps from the canonicalize flag in the * packet, and has a different meaning between AS-REQ * and TGS-REQ. We only change the principal in the AS-REQ case */ @@ -773,7 +747,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, } /* First try and figure out the flags based on the userAccountControl */ - entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type); + entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type); /* Windows 2008 seems to enforce this (very sensible) rule by * default - don't allow offline attacks on a user's password @@ -794,11 +768,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */ if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER && entry_ex->entry.flags.server == 0) { - ret = HDB_ERR_NOENTRY; + ret = SDB_ERR_NOENTRY; krb5_set_error_message(context, ret, "samba_kdc_message2entry: no servicePrincipalName present for this server, refusing with no-such-entry"); goto out; } - if (flags & HDB_F_ADMIN_DATA) { + if (flags & SDB_F_ADMIN_DATA) { /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use * of the Heimdal KDC. They are stored in a the traditional * DB for audit purposes, and still form part of the structure @@ -816,7 +790,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, goto out; } - entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event)); + entry_ex->entry.modified_by = (struct sdb_event *) malloc(sizeof(struct sdb_event)); if (entry_ex->entry.modified_by == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); @@ -989,7 +963,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, out: if (ret != 0) { /* This doesn't free ent itself, that is for the eventual caller to do */ - hdb_free_entry(context, entry_ex); + sdb_free_entry(entry_ex); ZERO_STRUCTP(entry_ex); } else { talloc_steal(kdc_db_ctx, entry_ex->ctx); @@ -1010,7 +984,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, unsigned flags, uint32_t kvno, struct ldb_message *msg, - hdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex) { struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; const char *our_realm = lpcfg_realm(lp_ctx); @@ -1048,14 +1022,14 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0); if (!(trust_direction_flags & direction)) { krb5_clear_error_message(context); - ret = HDB_ERR_NOENTRY; + ret = SDB_ERR_NOENTRY; goto out; } dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL); if (dnsdomain == NULL) { krb5_clear_error_message(context); - ret = HDB_ERR_NOENTRY; + ret = SDB_ERR_NOENTRY; goto out; } partner_realm = strupper_talloc(mem_ctx, dnsdomain); @@ -1079,7 +1053,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, if (password_val == NULL) { krb5_clear_error_message(context); - ret = HDB_ERR_NOENTRY; + ret = SDB_ERR_NOENTRY; goto out; } @@ -1098,16 +1072,14 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, } p->kdc_db_ctx = kdc_db_ctx; - p->entry_ex = entry_ex; p->realm_dn = realm_dn; talloc_set_destructor(p, samba_kdc_entry_destructor); /* make sure we do not have bogus data in there */ - memset(&entry_ex->entry, 0, sizeof(hdb_entry)); + memset(&entry_ex->entry, 0, sizeof(struct sdb_entry)); entry_ex->ctx = p; - entry_ex->free_entry = samba_kdc_free_entry; /* use 'whenCreated' */ entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0); @@ -1185,7 +1157,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, if (password_blob.previous.count == 0) { /* there is no previous password */ use_previous = false; - } else if (!(flags & HDB_F_KVNO_SPECIFIED)) { + } else if (!(flags & SDB_F_KVNO_SPECIFIED)) { /* * If not specified we use the lowest kvno * for the first hour after an update. @@ -1223,7 +1195,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, } /* use the kvno the client specified, if available */ - if (flags & HDB_F_KVNO_SPECIFIED) { + if (flags & SDB_F_KVNO_SPECIFIED) { entry_ex->entry.kvno = kvno; } else { entry_ex->entry.kvno = *auth_kvno; @@ -1282,11 +1254,11 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, if (num_keys == 0) { DEBUG(1,(__location__ ": no usable key found\n")); krb5_clear_error_message(context); - ret = HDB_ERR_NOENTRY; + ret = SDB_ERR_NOENTRY; goto out; } - entry_ex->entry.keys.val = calloc(num_keys, sizeof(Key)); + entry_ex->entry.keys.val = calloc(num_keys, sizeof(struct sdb_key)); if (entry_ex->entry.keys.val == NULL) { krb5_clear_error_message(context); ret = ENOMEM; @@ -1294,7 +1266,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, } if (password_utf8.length != 0) { - Key key = {}; + struct sdb_key key = {}; krb5_const_principal salt_principal = entry_ex->entry.principal; krb5_data salt; krb5_data cleartext_data; @@ -1345,7 +1317,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, } if (password_hash != NULL) { - Key key = {}; + struct sdb_key key = {}; ret = smb_krb5_keyblock_init_contents(context, ENCTYPE_ARCFOUR_HMAC, @@ -1360,7 +1332,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, entry_ex->entry.keys.len++; } - entry_ex->entry.flags = int2HDBFlags(0); + entry_ex->entry.flags = int2SDBFlags(0); entry_ex->entry.flags.immutable = 1; entry_ex->entry.flags.invalid = 0; entry_ex->entry.flags.server = 1; @@ -1396,7 +1368,7 @@ out: if (ret != 0) { /* This doesn't free ent itself, that is for the eventual caller to do */ - hdb_free_entry(context, entry_ex); + sdb_free_entry(entry_ex); } else { talloc_steal(kdc_db_ctx, entry_ex->ctx); } @@ -1419,7 +1391,7 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c if (NT_STATUS_IS_OK(status)) { return 0; } else if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { int ret = ENOMEM; krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory"); @@ -1555,7 +1527,7 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context, TALLOC_FREE(principal_string); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) { return ENOMEM; } else if (!NT_STATUS_IS_OK(nt_status)) { @@ -1570,7 +1542,7 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context, TALLOC_CTX *mem_ctx, krb5_const_principal principal, unsigned flags, - hdb_entry_ex *entry_ex) { + struct sdb_entry_ex *entry_ex) { struct ldb_dn *realm_dn; krb5_error_code ret; struct ldb_message *msg = NULL; @@ -1595,7 +1567,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, krb5_const_principal principal, unsigned flags, uint32_t kvno, - hdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex) { struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; krb5_error_code ret; @@ -1607,18 +1579,18 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, realm_from_princ_malloc = smb_krb5_principal_get_realm(context, principal); if (realm_from_princ_malloc == NULL) { /* can't happen */ - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } realm_from_princ = talloc_strdup(mem_ctx, realm_from_princ_malloc); free(realm_from_princ_malloc); if (realm_from_princ == NULL) { - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } if (krb5_princ_size(context, principal) != 2 || (principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME) != 0)) { /* Not a krbtgt */ - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } /* krbtgt case. Either us or a trusted realm */ @@ -1635,11 +1607,11 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, /* w2k8r2 sometimes gives us a kvno of 255 for inter-domain trust tickets. We don't yet know what this means, but we do seem to need to treat it as unspecified */ - if (flags & HDB_F_KVNO_SPECIFIED) { + if (flags & SDB_F_KVNO_SPECIFIED) { krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno); if (kdc_db_ctx->rodc) { if (krbtgt_number != kdc_db_ctx->my_krbtgt_number) { - return HDB_ERR_NOT_FOUND_HERE; + return SDB_ERR_NOT_FOUND_HERE; } } } else { @@ -1665,17 +1637,17 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, if (lret == LDB_ERR_NO_SUCH_OBJECT) { krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!", (unsigned)(krbtgt_number)); - krb5_set_error_message(context, HDB_ERR_NOENTRY, + krb5_set_error_message(context, SDB_ERR_NOENTRY, "samba_kdc_fetch: could not find KRBTGT number %u in DB!", (unsigned)(krbtgt_number)); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } else if (lret != LDB_SUCCESS) { krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!", (unsigned)(krbtgt_number)); - krb5_set_error_message(context, HDB_ERR_NOENTRY, + krb5_set_error_message(context, SDB_ERR_NOENTRY, "samba_kdc_fetch: could not find KRBTGT number %u in DB!", (unsigned)(krbtgt_number)); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, @@ -1704,10 +1676,10 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, krb5_warnx(context, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')", realm_from_princ, realm_princ_comp); - krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')", + krb5_set_error_message(context, SDB_ERR_NOENTRY, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')", realm_from_princ, realm_princ_comp); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } /* Trusted domains are under CN=system */ @@ -1771,7 +1743,7 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, free(principal_string); if (!NT_STATUS_IS_OK(nt_status)) { - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, @@ -1781,10 +1753,10 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG, "(objectClass=*)"); if (ldb_ret != LDB_SUCCESS) { - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } return 0; - } else if (!(flags & HDB_F_FOR_AS_REQ) + } else if (!(flags & SDB_F_FOR_AS_REQ) && smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) { /* * The behaviour of accepting an @@ -1888,21 +1860,21 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, if (lret == LDB_ERR_NO_SUCH_OBJECT) { DEBUG(10, ("Failed to find an entry for %s filter:%s\n", name1, filter)); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } if (lret == LDB_ERR_CONSTRAINT_VIOLATION) { DEBUG(10, ("Failed to find unique entry for %s filter:%s\n", name1, filter)); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } if (lret != LDB_SUCCESS) { DEBUG(0, ("Failed single search for %s - %s\n", name1, ldb_errstring(kdc_db_ctx->samdb))); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } return 0; } - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } @@ -1912,7 +1884,7 @@ static krb5_error_code samba_kdc_fetch_server(krb5_context context, TALLOC_CTX *mem_ctx, krb5_const_principal principal, unsigned flags, - hdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex) { krb5_error_code ret; struct ldb_dn *realm_dn; @@ -1940,7 +1912,7 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context, TALLOC_CTX *mem_ctx, krb5_const_principal principal, unsigned flags, - hdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex) { TALLOC_CTX *frame = talloc_stackframe(); NTSTATUS status; @@ -1956,13 +1928,13 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context, num_comp = krb5_princ_size(context, principal); - if (flags & HDB_F_GET_CLIENT) { - if (flags & HDB_F_FOR_AS_REQ) { + if (flags & SDB_F_GET_CLIENT) { + if (flags & SDB_F_FOR_AS_REQ) { check_realm = true; } } - if (flags & HDB_F_GET_SERVER) { - if (flags & HDB_F_FOR_TGS_REQ) { + if (flags & SDB_F_GET_SERVER) { + if (flags & SDB_F_FOR_TGS_REQ) { check_realm = true; } } @@ -1988,7 +1960,7 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context, */ SAFE_FREE(_realm); TALLOC_FREE(frame); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } realm = talloc_strdup(frame, _realm); @@ -2005,7 +1977,7 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context, if (num_comp != 1) { TALLOC_FREE(frame); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } principal_string = smb_krb5_principal_get_comp_string(frame, context, @@ -2036,7 +2008,7 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context, } } - if (flags & HDB_F_GET_SERVER) { + if (flags & SDB_F_GET_SERVER) { char *service_realm = NULL; ret = principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME); @@ -2141,7 +2113,7 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context, } TALLOC_FREE(frame); - return HDB_ERR_WRONG_REALM; + return SDB_ERR_WRONG_REALM; } krb5_error_code samba_kdc_fetch(krb5_context context, @@ -2149,9 +2121,9 @@ krb5_error_code samba_kdc_fetch(krb5_context context, krb5_const_principal principal, unsigned flags, krb5_kvno kvno, - hdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex) { - krb5_error_code ret = HDB_ERR_NOENTRY; + krb5_error_code ret = SDB_ERR_NOENTRY; TALLOC_CTX *mem_ctx; mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context"); @@ -2167,24 +2139,24 @@ krb5_error_code samba_kdc_fetch(krb5_context context, goto done; } - ret = HDB_ERR_NOENTRY; + ret = SDB_ERR_NOENTRY; - if (flags & HDB_F_GET_CLIENT) { + if (flags & SDB_F_GET_CLIENT) { ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex); - if (ret != HDB_ERR_NOENTRY) goto done; + if (ret != SDB_ERR_NOENTRY) goto done; } - if (flags & HDB_F_GET_SERVER) { + if (flags & SDB_F_GET_SERVER) { /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */ ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry_ex); - if (ret != HDB_ERR_NOENTRY) goto done; + if (ret != SDB_ERR_NOENTRY) goto done; /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */ ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex); - if (ret != HDB_ERR_NOENTRY) goto done; + if (ret != SDB_ERR_NOENTRY) goto done; } - if (flags & HDB_F_GET_KRBTGT) { + if (flags & SDB_F_GET_KRBTGT) { ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry_ex); - if (ret != HDB_ERR_NOENTRY) goto done; + if (ret != SDB_ERR_NOENTRY) goto done; } done: @@ -2201,7 +2173,7 @@ struct samba_kdc_seq { static krb5_error_code samba_kdc_seq(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry) + struct sdb_entry_ex *entry) { krb5_error_code ret; struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx; @@ -2212,7 +2184,7 @@ static krb5_error_code samba_kdc_seq(krb5_context context, TALLOC_CTX *mem_ctx; if (!priv) { - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } mem_ctx = talloc_named(priv, 0, "samba_kdc_seq context"); @@ -2233,7 +2205,7 @@ static krb5_error_code samba_kdc_seq(krb5_context context, } if (sAMAccountName == NULL) { - ret = HDB_ERR_NOENTRY; + ret = SDB_ERR_NOENTRY; goto out; } @@ -2245,7 +2217,7 @@ static krb5_error_code samba_kdc_seq(krb5_context context, ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, principal, SAMBA_KDC_ENT_TYPE_ANY, - HDB_F_ADMIN_DATA|HDB_F_GET_ANY, + SDB_F_ADMIN_DATA|SDB_F_GET_ANY, priv->realm_dn, msg, entry); out: @@ -2265,7 +2237,7 @@ out: krb5_error_code samba_kdc_firstkey(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry) + struct sdb_entry_ex *entry) { struct ldb_context *ldb_ctx = kdc_db_ctx->samdb; struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx; @@ -2314,7 +2286,7 @@ krb5_error_code samba_kdc_firstkey(krb5_context context, if (lret != LDB_SUCCESS) { TALLOC_FREE(priv); - return HDB_ERR_NOENTRY; + return SDB_ERR_NOENTRY; } priv->count = res->count; @@ -2336,7 +2308,7 @@ krb5_error_code samba_kdc_firstkey(krb5_context context, krb5_error_code samba_kdc_nextkey(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry) + struct sdb_entry_ex *entry) { return samba_kdc_seq(context, kdc_db_ctx, entry); } @@ -2369,7 +2341,7 @@ samba_kdc_check_s4u2self(krb5_context context, } ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal, - HDB_F_GET_CLIENT|HDB_F_GET_SERVER, + SDB_F_GET_CLIENT|SDB_F_GET_SERVER, delegation_check_attrs, &realm_dn, &msg); if (ret != 0) { diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h index 9a3052126a0..aa630f5d349 100644 --- a/source4/kdc/db-glue.h +++ b/source4/kdc/db-glue.h @@ -21,20 +21,22 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ +struct sdb_entry_ex; + krb5_error_code samba_kdc_fetch(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, krb5_const_principal principal, unsigned flags, krb5_kvno kvno, - hdb_entry_ex *entry_ex); + struct sdb_entry_ex *entry_ex); krb5_error_code samba_kdc_firstkey(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry); + struct sdb_entry_ex *entry); krb5_error_code samba_kdc_nextkey(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry); + struct sdb_entry_ex *entry); krb5_error_code samba_kdc_check_s4u2self(krb5_context context, diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 77f6a9079dd..c8f26e03c18 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -37,6 +37,8 @@ #include "kdc/db-glue.h" #include "auth/auth_sam.h" #include <ldb.h> +#include "sdb.h" +#include "sdb_hdb.h" static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode) { @@ -87,33 +89,74 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db, hdb_entry_ex *entry_ex) { struct samba_kdc_db_context *kdc_db_ctx; + struct sdb_entry_ex sdb_entry_ex = {}; + krb5_error_code code, ret; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); - return samba_kdc_fetch(context, kdc_db_ctx, principal, flags, kvno, entry_ex); + code = samba_kdc_fetch(context, + kdc_db_ctx, + principal, + flags, + kvno, + &sdb_entry_ex); + /* + * If SDB_ERR_WRONG_REALM is returned we need to process the sdb_entry + * to fill the principal in the HDB entry. + */ + if (code != 0 && code != SDB_ERR_WRONG_REALM) { + return code; + } + + ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex); + sdb_free_entry(&sdb_entry_ex); + + if (code == 0 && ret != 0) { + code = ret; + } + + return code; } static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) { struct samba_kdc_db_context *kdc_db_ctx; + struct sdb_entry_ex sdb_entry_ex = {}; + krb5_error_code ret; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); - return samba_kdc_firstkey(context, kdc_db_ctx, entry); + ret = samba_kdc_firstkey(context, kdc_db_ctx, &sdb_entry_ex); + if (ret) { + return ret; + } + + ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry); + sdb_free_entry(&sdb_entry_ex); + return ret; } static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry) { struct samba_kdc_db_context *kdc_db_ctx; + struct sdb_entry_ex sdb_entry_ex = {}; + krb5_error_code ret; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); - return samba_kdc_nextkey(context, kdc_db_ctx, entry); + ret = samba_kdc_nextkey(context, kdc_db_ctx, &sdb_entry_ex); + if (ret) { + return ret; + } + + ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry); + sdb_free_entry(&sdb_entry_ex); + return ret; } static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index d29ff771341..7b8fcb1959c 100755 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -27,7 +27,7 @@ bld.SAMBA_MODULE('service_kdc', bld.SAMBA_LIBRARY('HDB_SAMBA4', source='hdb-samba4.c hdb-samba4-plugin.c', - deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue samba-hostconfig com_err', + deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue samba-hostconfig com_err sdb_hdb', includes=kdc_include, private_library=True, enabled=bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') @@ -87,7 +87,7 @@ bld.SAMBA_LIBRARY('pac', bld.SAMBA_LIBRARY('db-glue', source='db-glue.c', - deps='ldb auth4_sam auth_sam_reply samba-credentials hdb samba-hostconfig com_err', + deps='ldb auth4_sam auth_sam_reply samba-credentials sdb samba-hostconfig com_err', private_library=True, includes=kdc_include, ) |