The branch, master has been updated
via abfa8e3 mit-kdb: Add missing SDB_F_FOR_AS_REQ for AS requests
via 859c625 mit-kdb: Fix segfault in krb5kdc dereferencing an invalid
pointer
via bb72aec mit-kdb: Add support for KDB version 8
via b0f2165 mit-kdb: Add support for bad password count
via 05cc9b0 mit-kdb: Restrict admin/changepw principal db_entry with
some flags
via b76cf19 mit-kdb: Return 0 in kdb_samba_db_put_principal()
via 5a6819d mit-kdb: Implement KDB function to change passwords
via f5e86db mit-kdb: Use calloc to initialize master keylists.
via fab9fe0 mit-kdb: Add ks_get_admin_principal() and use it for kadmin
users.
via 5a4e3ad mit-kdb: Add ks_create_principal().
via 742b4c3 mit-kdb: Do not allow to get a kadmin ticket as a client.
via e13e9c5 mit-kdb: Add more ks_is_kadmin* functions.
via d787d35 mit-kdb: Use calloc so both authdata elements are zeroed
via 1b6a085 mit-kdb: Do not overwrite the error code in failure case.
via ade958e mit-kdb: Add initial MIT KDB Samba driver
via 7feb650 wscript: Build the KDC code if we have the AD DC build
enabled
via 4865867 mit_samba: Setup logging to stdout
via 23c249a mit_samba: Add function for handling bad password count
via 9734b5d mit_samba: Add functions to generate random password and
salt.
via 909e7f9 mit_samba: Add function to change the password
via 77cec01 mit_samba: Add ks_is_tgs_principal()
via 859a6fb mit_samba: Use talloc_zero in mit_samba_context_init().
via 597772d mit_samba: Directly pass the principal and kflags
via 33fcc76 mit_samba: Make mit_samba a shim layer between Samba and KDB
via 209d4b5 mit_samba: Use sdb in the mit_samba plugin
via 6825a61 s4-kdc: Introduce a simple sdb_kdb shim layer
via 1092324 wscript: detect if we have libkdb5 and kdb.h.
via 2467032 krb5-wrap: Use the principal returned by the KDC to create
the ccache
from 44f3dde smbd: fix use after free via conn->fsp_fi_cache
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit abfa8e335c685e1251c2fe503949d99e1da7ac3f
Author: Andreas Schneider <[email protected]>
Date: Wed Jan 20 13:25:16 2016 +0100
mit-kdb: Add missing SDB_F_FOR_AS_REQ for AS requests
This correctly handles enterprise principals and ticket renewal.
Signed-off-by: Andreas Schneider <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Pair-Programmed-With: Guenther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Thu Mar 17 07:57:49 CET 2016 on sn-devel-144
commit 859c625c8235d5e6bbef3d2d98bdd6579540ecf4
Author: Andreas Schneider <[email protected]>
Date: Fri Dec 4 12:04:49 2015 +0100
mit-kdb: Fix segfault in krb5kdc dereferencing an invalid pointer
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit bb72aec13fb405710522bccef6b082a161534aeb
Author: Andreas Schneider <[email protected]>
Date: Mon Nov 30 13:27:29 2015 +0100
mit-kdb: Add support for KDB version 8
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit b0f21659015875231b382b7f30d44f5b81d8ad58
Author: Andreas Schneider <[email protected]>
Date: Wed May 20 17:20:13 2015 +0200
mit-kdb: Add support for bad password count
This fixes the samba4.ldap.password_lockout.python test.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 05cc9b0af9794b62d65a781a4d1c3e4eb8f573f6
Author: Günther Deschner <[email protected]>
Date: Thu Aug 7 15:04:42 2014 +0200
mit-kdb: Restrict admin/changepw principal db_entry with some flags
Signed-off-by: Andreas Schneider <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Pair-Programmed-With: Guenther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit b76cf191d9502401780cad83a83f1a685e776ef5
Author: Günther Deschner <[email protected]>
Date: Wed Aug 6 15:17:47 2014 +0200
mit-kdb: Return 0 in kdb_samba_db_put_principal()
This allows the kadmin server to assume an update of a db_entry has
succeeded (while in fact the update_pwd call did the update already).
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Pair-Programmed-With: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5a6819dbee516f926da67dca707153b3654dc349
Author: Andreas Schneider <[email protected]>
Date: Thu Jul 30 14:47:11 2015 +0200
mit-kdb: Implement KDB function to change passwords
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit f5e86db147cbfa0ad9aef2032258b53ec9f677e3
Author: Günther Deschner <[email protected]>
Date: Mon Aug 4 12:11:22 2014 +0200
mit-kdb: Use calloc to initialize master keylists.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit fab9fe017774d08a64371cc1466706bba7c0d2f0
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 6 15:38:41 2014 +0200
mit-kdb: Add ks_get_admin_principal() and use it for kadmin users.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5a4e3adbdaafd2bc4774bec6984ca4375b944439
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 6 15:37:41 2014 +0200
mit-kdb: Add ks_create_principal().
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 742b4c3da8343474d958426e1f8b61faf6938645
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 6 15:32:13 2014 +0200
mit-kdb: Do not allow to get a kadmin ticket as a client.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit e13e9c54f5956c86a05693e08aab5223b02b5211
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 6 15:27:16 2014 +0200
mit-kdb: Add more ks_is_kadmin* functions.
Signed-off-by: Andreas Schneider <[email protected]>
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Pair-Programmed-With: Guenther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit d787d35d97a9df6bd1b747983280e747c7ff61b9
Author: Günther Deschner <[email protected]>
Date: Fri May 16 14:37:39 2014 +0200
mit-kdb: Use calloc so both authdata elements are zeroed
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 1b6a085b7f417c0a5d7593858715f070b4d0aa50
Author: Günther Deschner <[email protected]>
Date: Thu May 15 09:05:25 2014 +0200
mit-kdb: Do not overwrite the error code in failure case.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit ade958e20b561b702e2fec86a28659144dbe4a9e
Author: Andreas Schneider <[email protected]>
Date: Mon May 12 10:49:24 2014 +0200
mit-kdb: Add initial MIT KDB Samba driver
Signed-off-by: Andreas Schneider <[email protected]>
Signed-off-by: Simo Sorce <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Pair-Programmed-With: Simo Sorce <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 7feb650a372094f2ecfa82e41756d5e2fa92ff9a
Author: Andreas Schneider <[email protected]>
Date: Thu Jul 23 13:48:50 2015 +0200
wscript: Build the KDC code if we have the AD DC build enabled
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 4865867f59140a65d498255a64564f9e47810323
Author: Andreas Schneider <[email protected]>
Date: Thu Jul 30 17:29:51 2015 +0200
mit_samba: Setup logging to stdout
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 23c249a88b8e216f9859b3103d77aec26e8cd85d
Author: Andreas Schneider <[email protected]>
Date: Wed May 20 17:19:35 2015 +0200
mit_samba: Add function for handling bad password count
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 9734b5d9ed895369adffed4ddc6bc304b0d85edc
Author: Andreas Schneider <[email protected]>
Date: Wed Aug 6 15:41:05 2014 +0200
mit_samba: Add functions to generate random password and salt.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 909e7f9ff609291064af4667271b5abe2aaeceb9
Author: Andreas Schneider <[email protected]>
Date: Thu Jul 30 14:46:48 2015 +0200
mit_samba: Add function to change the password
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 77cec013c317b331e366ea9294c6fa7bad891226
Author: Andreas Schneider <[email protected]>
Date: Thu Jul 30 15:26:50 2015 +0200
mit_samba: Add ks_is_tgs_principal()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 859a6fba0bac88de87dc5d5c348597ed1e006614
Author: Günther Deschner <[email protected]>
Date: Mon May 12 21:35:45 2014 +0200
mit_samba: Use talloc_zero in mit_samba_context_init().
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 597772dbd24571b9bda62e5a279dd8a7616b372f
Author: Andreas Schneider <[email protected]>
Date: Thu Jul 30 14:36:55 2015 +0200
mit_samba: Directly pass the principal and kflags
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 33fcc76aa782a24d1d70c12a501a61ee657dcb2a
Author: Andreas Schneider <[email protected]>
Date: Mon May 12 10:50:33 2014 +0200
mit_samba: Make mit_samba a shim layer between Samba and KDB
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 209d4b5b28d517a5446923f9ad2eda583dc25d05
Author: Günther Deschner <[email protected]>
Date: Mon May 12 14:33:14 2014 +0200
mit_samba: Use sdb in the mit_samba plugin
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 6825a61b0bf7428b9704efd7124635f6b6b7bd99
Author: Günther Deschner <[email protected]>
Date: Fri May 9 13:45:19 2014 +0200
s4-kdc: Introduce a simple sdb_kdb shim layer
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 1092324f7f3b52a363ebbbadae2aa6749cd3123a
Author: Günther Deschner <[email protected]>
Date: Fri May 9 13:44:05 2014 +0200
wscript: detect if we have libkdb5 and kdb.h.
Guenther
Signed-off-by: Günther Deschner <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 2467032a3e90754ff1d2d8c4146d9f479fffc6d4
Author: Andreas Schneider <[email protected]>
Date: Tue Feb 3 13:00:34 2015 +0100
krb5-wrap: Use the principal returned by the KDC to create the ccache
We request a TGT in uppercase from the KDC. We turned on
canonicalization for that so the KDC returns the principal in lowercase
cause of this. As we use the uppercase prinicpal to create the ccache we
fail to find the tickets we need later because it is stored in the
incorrect case. You have to use the princial returned by the KDC here.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 8 +
source4/kdc/mit-kdb/kdb_samba.c | 185 +++++++++++
source4/kdc/mit-kdb/kdb_samba.h | 173 +++++++++++
source4/kdc/mit-kdb/kdb_samba_change_pwd.c | 56 ++++
source4/kdc/mit-kdb/kdb_samba_common.c | 150 +++++++++
source4/kdc/mit-kdb/kdb_samba_masterkey.c | 66 ++++
source4/kdc/mit-kdb/kdb_samba_pac.c | 112 +++++++
source4/kdc/mit-kdb/kdb_samba_policies.c | 468 ++++++++++++++++++++++++++++
source4/kdc/mit-kdb/kdb_samba_principals.c | 366 ++++++++++++++++++++++
source4/kdc/mit-kdb/wscript_build | 22 ++
source4/kdc/mit_samba.c | 475 ++++++++++++++++++++++++-----
source4/kdc/mit_samba.h | 86 ++++++
source4/kdc/mit_samba_interface.h | 60 ----
source4/kdc/sdb_to_kdb.c | 334 ++++++++++++++++++++
source4/kdc/wscript_build | 16 +-
wscript | 3 +
wscript_build | 1 +
wscript_build_embedded_heimdal | 1 -
wscript_build_system_heimdal | 1 -
wscript_configure_system_mitkrb5 | 5 +
20 files changed, 2441 insertions(+), 147 deletions(-)
create mode 100644 source4/kdc/mit-kdb/kdb_samba.c
create mode 100644 source4/kdc/mit-kdb/kdb_samba.h
create mode 100644 source4/kdc/mit-kdb/kdb_samba_change_pwd.c
create mode 100644 source4/kdc/mit-kdb/kdb_samba_common.c
create mode 100644 source4/kdc/mit-kdb/kdb_samba_masterkey.c
create mode 100644 source4/kdc/mit-kdb/kdb_samba_pac.c
create mode 100644 source4/kdc/mit-kdb/kdb_samba_policies.c
create mode 100644 source4/kdc/mit-kdb/kdb_samba_principals.c
create mode 100644 source4/kdc/mit-kdb/wscript_build
create mode 100644 source4/kdc/mit_samba.h
delete mode 100644 source4/kdc/mit_samba_interface.h
create mode 100644 source4/kdc/sdb_to_kdb.c
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 9d2f698..9ee71f5 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2004,6 +2004,14 @@ krb5_error_code kerberos_kinit_keyblock_cc(krb5_context
ctx, krb5_ccache cc,
return code;
}
+#ifndef SAMBA4_USES_HEIMDAL /* MIT */
+ /*
+ * We need to store the principal as returned from the KDC to the
+ * credentials cache. If we don't do that the KRB5 library is not
+ * able to find the tickets it is looking for
+ */
+ principal = my_creds.client;
+#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
new file mode 100644
index 0000000..b7f802c
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba.c
@@ -0,0 +1,185 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Samba KDB plugin for MIT Kerberos
+
+ Copyright (c) 2010 Simo Sorce <[email protected]>.
+ Copyright (c) 2014 Andreas Schneider <[email protected]>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+static krb5_error_code kdb_samba_init_library(void)
+{
+ return 0;
+}
+
+static krb5_error_code kdb_samba_fini_library(void)
+{
+ return 0;
+}
+
+static krb5_error_code kdb_samba_init_module(krb5_context context,
+ char *conf_section,
+ char **db_args,
+ int mode)
+{
+ /* TODO mit_samba_context_init */
+ struct mit_samba_context *mit_ctx;
+ krb5_error_code code;
+ int rc;
+
+ rc = mit_samba_context_init(&mit_ctx);
+ if (rc != 0) {
+ return ENOMEM;
+ }
+
+
+ code = krb5_db_set_context(context, mit_ctx);
+
+ return code;
+}
+static krb5_error_code kdb_samba_fini_module(krb5_context context)
+{
+ struct mit_samba_context *mit_ctx;
+
+ mit_ctx = ks_get_context(context);
+ if (mit_ctx == NULL) {
+ return 0;
+ }
+
+ mit_samba_context_free(mit_ctx);
+
+ return 0;
+}
+
+static krb5_error_code kdb_samba_db_create(krb5_context context,
+ char *conf_section,
+ char **db_args)
+{
+ /* NOTE: used only by kadmin */
+ return KRB5_KDB_DBTYPE_NOSUP;
+}
+
+static krb5_error_code kdb_samba_db_destroy(krb5_context context,
+ char *conf_section,
+ char **db_args)
+{
+ /* NOTE: used only by kadmin */
+ return KRB5_KDB_DBTYPE_NOSUP;
+}
+
+static krb5_error_code kdb_samba_db_get_age(krb5_context context,
+ char *db_name,
+ time_t *age)
+{
+ /* TODO: returns last modification time of the db */
+
+ /* NOTE: used by and affects only lookaside cache,
+ * defer implementation until needed as samba doesn't keep this
+ * specific value readily available and it would require a full
+ * database search to get it. */
+
+ *age = time(NULL);
+
+ return 0;
+}
+
+static krb5_error_code kdb_samba_db_lock(krb5_context context, int kmode)
+{
+
+ /* NOTE: important only for kadmin */
+ /* NOTE: deferred as samba's DB cannot be easily locked and doesn't
+ * really make sense to do so anyway as the db is shared and support
+ * transactions */
+ return 0;
+}
+
+static krb5_error_code kdb_samba_db_unlock(krb5_context context)
+{
+
+ /* NOTE: important only for kadmin */
+ /* NOTE: deferred as samba's DB cannot be easily locked and doesn't
+ * really make sense to do so anyway as the db is shared and support
+ * transactions */
+ return 0;
+}
+
+static void *kdb_samba_db_alloc(krb5_context context, void *ptr, size_t size)
+{
+ return realloc(ptr, size);
+}
+
+static void kdb_samba_db_free(krb5_context context, void *ptr)
+{
+ free(ptr);
+}
+
+kdb_vftabl kdb_function_table = {
+ KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
+ 0, /* minor version number */
+ kdb_samba_init_library, /* init_library */
+ kdb_samba_fini_library, /* fini_library */
+ kdb_samba_init_module, /* init_module */
+ kdb_samba_fini_module, /* fini_module */
+
+ kdb_samba_db_create, /* db_create */
+ kdb_samba_db_destroy, /* db_destroy */
+ kdb_samba_db_get_age, /* db_get_age */
+ kdb_samba_db_lock, /* db_lock */
+ kdb_samba_db_unlock, /* db_unlock */
+
+ kdb_samba_db_get_principal, /* db_get_principal */
+ kdb_samba_db_free_principal, /* db_free_principal */
+ kdb_samba_db_put_principal, /* db_put_principal */
+ kdb_samba_db_delete_principal, /* db_delete_principal */
+ kdb_samba_db_iterate, /* db_iterate */
+
+ NULL, /* create_policy */
+ NULL, /* get_policy */
+ NULL, /* put_policy */
+ NULL, /* iter_policy */
+ NULL, /* delete_policy */
+ NULL, /* free_policy */
+
+ kdb_samba_db_alloc, /* db_alloc */
+ kdb_samba_db_free, /* db_free */
+
+ kdb_samba_fetch_master_key, /* fetch_master_key */
+ kdb_samba_fetch_master_key_list, /* fetch_master_key_list */
+ NULL, /* store_master_key_list */
+ NULL, /* dbe_search_enctype */
+ kdb_samba_change_pwd, /* change_pwd */
+ NULL, /* promote_db */
+ kdb_samba_dbekd_decrypt_key_data, /* decrypt_key_data */
+ kdb_samba_dbekd_encrypt_key_data, /* encrypt_key_data */
+
+ kdb_samba_db_sign_auth_data, /* sign_authdata */
+ NULL, /* check_transited_realms */
+ kdb_samba_db_check_policy_as, /* check_policy_as */
+ NULL, /* check_policy_tgs */
+ kdb_samba_db_audit_as_req, /* audit_as_req */
+ NULL, /* refresh_config */
+ kdb_samba_db_check_allowed_to_delegate
+};
diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
new file mode 100644
index 0000000..0258b2d
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -0,0 +1,173 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * plugins/kdb/samba/kdb_samba.h
+ *
+ * Copyright (c) 2009, Simo Sorce <[email protected]>
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#ifndef _KDB_SAMBA_H_
+#define _KDB_SAMBA_H_
+
+#include <stdbool.h>
+
+#include <krb5/krb5.h>
+#include <krb5/plugin.h>
+
+#define PAC_LOGON_INFO 1
+
+#ifndef discard_const_p
+#if defined(__intptr_t_defined) || defined(HAVE_INTPTR_T)
+# define discard_const_p(type, ptr) ((type *)((intptr_t)(ptr)))
+#else
+# define discard_const_p(type, ptr) ((type *)(ptr))
+#endif
+#endif
+
+/* from kdb_samba_common.c */
+
+struct mit_samba_context *ks_get_context(krb5_context kcontext);
+
+void ks_free_krb5_db_entry(krb5_context context,
+ krb5_db_entry *entry);
+
+bool ks_data_eq_string(krb5_data d, const char *s);
+
+krb5_data ks_make_data(void *data, unsigned int len);
+
+krb5_boolean ks_is_kadmin(krb5_context context,
+ krb5_const_principal princ);
+
+krb5_boolean ks_is_kadmin_history(krb5_context context,
+ krb5_const_principal princ);
+
+krb5_boolean ks_is_kadmin_changepw(krb5_context context,
+ krb5_const_principal princ);
+
+krb5_boolean ks_is_kadmin_admin(krb5_context context,
+ krb5_const_principal princ);
+
+/* from kdb_samba_principals.c */
+
+krb5_error_code kdb_samba_db_get_principal(krb5_context context,
+ krb5_const_principal princ,
+ unsigned int kflags,
+ krb5_db_entry **kentry);
+
+void kdb_samba_db_free_principal(krb5_context context,
+ krb5_db_entry *entry);
+
+krb5_error_code kdb_samba_db_put_principal(krb5_context context,
+ krb5_db_entry *entry,
+ char **db_args);
+
+krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
+ krb5_const_principal princ);
+
+#if KRB5_KDB_API_VERSION == 8
+krb5_error_code kdb_samba_db_iterate(krb5_context context,
+ char *match_entry,
+ int (*func)(krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg,
+ krb5_flags iterflags);
+#else
+krb5_error_code kdb_samba_db_iterate(krb5_context context,
+ char *match_entry,
+ int (*func)(krb5_pointer, krb5_db_entry *),
+ krb5_pointer func_arg);
+#endif
+
+/* from kdb_samba_masterkey.c */
+
+krb5_error_code kdb_samba_fetch_master_key(krb5_context context,
+ krb5_principal name,
+ krb5_keyblock *key,
+ krb5_kvno *kvno,
+ char *db_args);
+
+krb5_error_code kdb_samba_fetch_master_key_list(krb5_context context,
+ krb5_principal mname,
+ const krb5_keyblock *key,
+ krb5_keylist_node **mkeys_list);
+
+/* from kdb_samba_pac.c */
+
+krb5_error_code kdb_samba_dbekd_decrypt_key_data(krb5_context context,
+ const krb5_keyblock *mkey,
+ const krb5_key_data *key_data,
+ krb5_keyblock *kkey,
+ krb5_keysalt *keysalt);
+
+krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
+ const krb5_keyblock *mkey,
+ const krb5_keyblock *kkey,
+ const krb5_keysalt *keysalt,
+ int keyver,
+ krb5_key_data *key_data);
+
+/* from kdb_samba_policies.c */
+
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data);
+
+krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
+ krb5_kdc_req *kdcreq,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp kdc_time,
+ const char **status,
+ krb5_pa_data ***e_data_out);
+
+krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
+ krb5_const_principal
client,
+ const krb5_db_entry
*server,
+ krb5_const_principal
proxy);
+
+void kdb_samba_db_audit_as_req(krb5_context kcontext,
+ krb5_kdc_req *request,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_timestamp authtime,
+ krb5_error_code error_code);
+
+/* from kdb_samba_change_pwd.c */
+
+krb5_error_code kdb_samba_change_pwd(krb5_context context,
+ krb5_keyblock *master_key,
+ krb5_key_salt_tuple *ks_tuple,
+ int ks_tuple_count, char *passwd,
+ int new_kvno, krb5_boolean keepold,
+ krb5_db_entry *db_entry);
+
+#endif /* _KDB_SAMBA_H_ */
diff --git a/source4/kdc/mit-kdb/kdb_samba_change_pwd.c
b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c
new file mode 100644
index 0000000..e0264cb
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c
@@ -0,0 +1,56 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Samba KDB plugin for MIT Kerberos
+
+ Copyright (c) 2010 Simo Sorce <[email protected]>.
+ Copyright (c) 2014 Andreas Schneider <[email protected]>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+krb5_error_code kdb_samba_change_pwd(krb5_context context,
+ krb5_keyblock *master_key,
+ krb5_key_salt_tuple *ks_tuple,
+ int ks_tuple_count, char *passwd,
+ int new_kvno, krb5_boolean keepold,
+ krb5_db_entry *db_entry)
+{
+ struct mit_samba_context *mit_ctx;
+ krb5_error_code code;
+
+ mit_ctx = ks_get_context(context);
+ if (mit_ctx == NULL) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+
+ code = mit_samba_kpasswd_change_password(mit_ctx, passwd, db_entry);
+ if (code != 0) {
+ goto cleanup;
+ }
+
+cleanup:
+
+ return code;
+}
diff --git a/source4/kdc/mit-kdb/kdb_samba_common.c
b/source4/kdc/mit-kdb/kdb_samba_common.c
new file mode 100644
index 0000000..1cd5469
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_common.c
@@ -0,0 +1,150 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Samba KDB plugin for MIT Kerberos
+
+ Copyright (c) 2010 Simo Sorce <[email protected]>.
+ Copyright (c) 2014 Andreas Schneider <[email protected]>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+struct mit_samba_context *ks_get_context(krb5_context kcontext)
+{
+ void *db_ctx;
+ krb5_error_code code;
+
+ code = krb5_db_get_context(kcontext, &db_ctx);
+ if (code != 0) {
+ return NULL;
+ }
+
+ return (struct mit_samba_context *)db_ctx;
--
Samba Shared Repository
