[SCM] Samba Shared Repository - branch master updated

Mon, 09 Nov 2009 02:40:11 -0800 

The branch, master has been updated
       via  2b858c6... s4-hdb: go back to a separate samdb for the KDC
      from  bb283af... Revert "s3: Do not directly reference the ndr_table_* in 
rpcclient"

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2b858c69391b2d64f19291eb349cb5ba9e48045b
Author: Andrew Tridgell <[email protected]>
Date:   Mon Nov 9 21:38:49 2009 +1100

    s4-hdb: go back to a separate samdb for the KDC
    
    The change to use a common system_session broke replication as the KDC
    forces CRED_DONT_USE_KERBEROS on session->credentials, which is shared
    with other parts of the system.
    
    This should be fixed once we confirm whether the ldap backend actually
    relies on CRED_DONT_USE_KERBEROS

-----------------------------------------------------------------------

Summary of changes:
 source4/kdc/hdb-samba4.c |   17 ++++++++++++++++-
 1 files changed, 16 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 12f3544..2418e5c 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1585,6 +1585,8 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
                              krb5_context context, struct HDB **db)
 {
        struct auth_session_info *session_info;
+       NTSTATUS nt_status;
+
        *db = talloc(mem_ctx, HDB);
        if (!*db) {
                krb5_set_error_message(context, ENOMEM, "malloc: out of 
memory");
@@ -1595,17 +1597,30 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx,
        (*db)->hdb_db = NULL;
        (*db)->hdb_capability_flags = 0;
 
+#if 1
+       /* we would prefer to use system_session(), as that would
+        * allow us to share the samdb backend context with other parts of the
+        * system. For now we can't as we need to override the
+        * credentials to set CRED_DONT_USE_KERBEROS, which would
+        * break other users of the system_session */    
+       DEBUG(0,("FIXME: Using new system session for hdb\n"));
+       nt_status = auth_system_session_info(*db, lp_ctx, &session_info);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               return nt_status;
+       }
+#else
        session_info = system_session(lp_ctx);
        if (session_info == NULL) {
                return NT_STATUS_INTERNAL_ERROR;
        }
+#endif
        
        /* The idea here is very simple.  Using Kerberos to
         * authenticate the KDC to the LDAP server is higly likely to
         * be circular.
         *
         * In future we may set this up to use EXERNAL and SSL
-        * certificates, for now it will almost certainly be NTLMSSP
+        * certificates, for now it will almost certainly be 
NTLMSSP_SET_USERNAME
        */
        
        cli_credentials_set_kerberos_state(session_info->credentials, 


-- 
Samba Shared Repository

Reply via email to