The branch, master has been updated via 8421c40 s4:kdc: fix realm for outgoing trusts in samba_kdc_trust_message2entry() from 9d0f7e1 selftest: the drs.delete_object is currently flakey.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8421c403e206a8eb1b55ce512e6d2d4174bed0ac Author: Stefan Metzmacher <me...@samba.org> Date: Sun Mar 15 22:25:49 2015 +0100 s4:kdc: fix realm for outgoing trusts in samba_kdc_trust_message2entry() This is a regression introduced in commit 8dd37327b02eaea33915a9cd206667981b8df872. Now we change 'realm' before calling ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm); as before commit 8dd37327b02eaea33915a9cd206667981b8df872. Without this we'd set entry_ex->entry.principal to krbtgt/doma.example....@doma.example.com instead of krbtgt/doma.example....@domb.example.com, while we use krbtgt/doma.example....@domb.example.com as salt for the keys. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Wed Mar 18 18:56:51 CET 2015 on sn-devel-104 ----------------------------------------------------------------------- Summary of changes: source4/kdc/db-glue.c | 53 +++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 8f2b361..bc82482 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -965,6 +965,32 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, supported_enctypes); } + trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0); + + if (direction == INBOUND) { + password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming"); + + } else { /* OUTBOUND */ + dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL); + /* replace realm */ + realm = strupper_talloc(mem_ctx, dnsdomain); + password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing"); + } + + if (!password_val || !(trust_direction_flags & direction)) { + krb5_clear_error_message(context); + ret = HDB_ERR_NOENTRY; + goto out; + } + + ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob, + (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + krb5_clear_error_message(context); + ret = EINVAL; + goto out; + } + p = talloc(mem_ctx, struct samba_kdc_entry); if (!p) { ret = ENOMEM; @@ -1023,33 +1049,6 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, entry_ex->entry.valid_start = NULL; - trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0); - - if (direction == INBOUND) { - password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming"); - - } else { /* OUTBOUND */ - dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL); - /* replace realm */ - realm = strupper_talloc(mem_ctx, dnsdomain); - password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing"); - } - - if (!password_val || !(trust_direction_flags & direction)) { - krb5_clear_error_message(context); - ret = HDB_ERR_NOENTRY; - goto out; - } - - ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob, - (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - krb5_clear_error_message(context); - ret = EINVAL; - goto out; - } - - /* we need to work out if we are going to use the current or * the previous password hash. * We base this on the kvno the client passes in. If the kvno -- Samba Shared Repository