The branch, master has been updated
via 73e3ffb8418 python:tests: Store keys as bytes rather than as lists
of ints
via 6f12cf958f8 python:tests: Rewrite condition of while loop
via cb97e3f13df python:tests: Store keys as bytes rather than as tuples
via 94e055b582e python:gkdi: Add helper methods returning previous and
next GKIDs
via 282e5784a03 s4:kdc: Add helper variable indicating whether we think
we are performing a keytab export
via 5a048ef0f81 s4:kdc: Pass ldb context into
samba_kdc_message2entry_keys()
via 1889e0aea38 python: Move get_admin_sid() to SamDB
via 786eab65cef s4:auth: Export AES128 gMSA keys along with AES256 keys
by default
via 103ca0276fb tests/krb5: Check that updated NT hashes of gMSAs have
the values we expect
via 1171589e355 ldb: Remove unnecessary declaration
via 46955bc7664 lib:crypto: Fix Coverity build
via 82224fca78c ctdb: Report errors from getline()
via f9309c221b9 ctdb: Ensure ‘ret’ is always initialized
from 1a02c6e59c1 WHATSNEW: document ldaps/tls related option changes
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 73e3ffb841842c748e0cda59ada0617dda035853
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed Apr 24 13:34:27 2024 +1200
python:tests: Store keys as bytes rather than as lists of ints
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Apr 24 06:20:58 UTC 2024 on atb-devel-224
commit 6f12cf958f8ed92c3373372760564d95adcdfb94
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed Apr 24 13:37:40 2024 +1200
python:tests: Rewrite condition of while loop
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit cb97e3f13dfa8e8f7512639389aaccf93d53959a
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed Apr 24 13:36:28 2024 +1200
python:tests: Store keys as bytes rather than as tuples
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 94e055b582e3c4498b99d3997df3db614b3e94e8
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed Apr 24 12:42:40 2024 +1200
python:gkdi: Add helper methods returning previous and next GKIDs
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 282e5784a03add45dc662b27da6f2d29e1ab80cb
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Mon Apr 15 14:45:51 2024 +1200
s4:kdc: Add helper variable indicating whether we think we are performing a
keytab export
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5a048ef0f81d4f212019a9687a726eb0bfd67227
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Mon Apr 15 14:39:45 2024 +1200
s4:kdc: Pass ldb context into samba_kdc_message2entry_keys()
This ldb context can be used to query the current gMSA time.
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1889e0aea389662a1e4111d7537f3c4e1c93d492
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Mon Apr 15 13:23:15 2024 +1200
python: Move get_admin_sid() to SamDB
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 786eab65cefac69dfd38646437720f33994f8f47
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Tue Apr 23 13:13:20 2024 +1200
s4:auth: Export AES128 gMSA keys along with AES256 keys by default
This is what an existing test expects.
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 103ca0276fbda03592bfb4a460ba946218abfb16
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Mon Apr 22 10:53:30 2024 +1200
tests/krb5: Check that updated NT hashes of gMSAs have the values we expect
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1171589e355e55b5fa08ae7da0210ac9ca2c7107
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed Apr 24 12:31:36 2024 +1200
ldb: Remove unnecessary declaration
This declaration is a hold‐over from the Python 2 module initialization
pattern.
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 46955bc7664b8cf665c9bccf3b88d4afa26b9526
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Mon Apr 22 11:10:00 2024 +1200
lib:crypto: Fix Coverity build
The Coverity build is failing with the following errors:
[1936/5164] Compiling lib/crypto/gkdi.c
In file included from
/usr/lib64/gcc/x86_64-suse-linux/7/include/stdint.h:9:0,
from /usr/include/inttypes.h:27,
from ../../lib/crypto/../replace/replace.h:64,
from ../../source4/include/includes.h:23,
from ../../lib/crypto/gkdi.c:21:
../../lib/crypto/gkdi.c: In function ‘gkdi_get_key_start_time’:
../../lib/crypto/gkdi.c:197:4: error: initializer element is not constant
UINT64_MAX /
^
../../lib/crypto/gkdi.c:197:4: note: (near initialization for
‘max_gkid.l0_idx’)
../../lib/crypto/gkdi.c:200:4: error: initializer element is not constant
UINT64_MAX /
^
../../lib/crypto/gkdi.c:200:4: note: (near initialization for
‘max_gkid.l1_idx’)
../../lib/crypto/gkdi.c:204:4: error: initializer element is not constant
UINT64_MAX / gkdi_key_cycle_duration %
^
../../lib/crypto/gkdi.c:204:4: note: (near initialization for
‘max_gkid.l2_idx’)
Fix the build by removing the ‘static’ specifier on this constant.
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 82224fca78c4de1f9ae8524eb14dd0478641779c
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed Apr 24 14:26:20 2024 +1200
ctdb: Report errors from getline()
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Martin Schwenke <mar...@meltin.net>
commit f9309c221b9e918462c3c4ac8a71a4dc288a35fc
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed Apr 24 14:26:35 2024 +1200
ctdb: Ensure ‘ret’ is always initialized
This avoids a compilation error:
../../ctdb/protocol/protocol_util.c: In function
‘ctdb_connection_list_read’:
../../ctdb/protocol/protocol_util.c:787:9: error: ‘ret’ may be used
uninitialized in this function [-Werror=maybe-uninitialized]
787 | return ret;
| ^~~
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Martin Schwenke <mar...@meltin.net>
-----------------------------------------------------------------------
Summary of changes:
ctdb/protocol/protocol_util.c | 14 +++++++++++---
lib/crypto/gkdi.c | 2 +-
lib/ldb/pyldb.c | 1 -
python/samba/gkdi.py | 6 ++++++
python/samba/samdb.py | 7 +++++++
python/samba/tests/dckeytab.py | 10 ++++------
python/samba/tests/krb5/gmsa_tests.py | 19 +++++++++++++++++++
selftest/knownfail.d/gmsa | 1 -
source4/auth/kerberos/srv_keytab.c | 2 +-
source4/auth/ntlm/auth_sam.c | 2 ++
source4/dsdb/samdb/ldb_modules/password_hash.c | 2 ++
source4/dsdb/tests/python/unicodepwd_encrypted.py | 13 +++----------
source4/kdc/db-glue.c | 12 +++++++++---
source4/kdc/db-glue.h | 2 ++
14 files changed, 67 insertions(+), 26 deletions(-)
delete mode 100644 selftest/knownfail.d/gmsa
Changeset truncated at 500 lines:
diff --git a/ctdb/protocol/protocol_util.c b/ctdb/protocol/protocol_util.c
index 25e668b73ee..5e48c1513bc 100644
--- a/ctdb/protocol/protocol_util.c
+++ b/ctdb/protocol/protocol_util.c
@@ -749,9 +749,8 @@ int ctdb_connection_list_read(TALLOC_CTX *mem_ctx,
struct ctdb_connection_list_read_state state;
char *line = NULL;
FILE *f = NULL;
- int ret;
+ int ret = 0;
size_t len = 0;
- ssize_t nread;
if (conn_list == NULL) {
return EINVAL;
@@ -769,7 +768,16 @@ int ctdb_connection_list_read(TALLOC_CTX *mem_ctx,
return errno;
}
- while ((nread = getline(&line, &len, f)) != -1) {
+ for (;;) {
+ ssize_t nread = getline(&line, &len, f);
+ if (nread == -1) {
+ if (!feof(f)) {
+ /* real error */
+ ret = errno;
+ }
+ break;
+ }
+
if ((nread > 0) && (line[nread-1] == '\n')) {
line[nread-1] = '\0';
}
diff --git a/lib/crypto/gkdi.c b/lib/crypto/gkdi.c
index af00ea4217e..ae269d64a3e 100644
--- a/lib/crypto/gkdi.c
+++ b/lib/crypto/gkdi.c
@@ -193,7 +193,7 @@ bool gkdi_get_key_start_time(const struct Gkid gkid, NTTIME
*start_time_out)
* Make sure that the GKID is not so large its start time can’t
* be represented in NTTIME.
*/
- static const struct Gkid max_gkid = {
+ const struct Gkid max_gkid = {
UINT64_MAX /
(gkdi_l1_key_iteration * gkdi_l2_key_iteration *
gkdi_key_cycle_duration),
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index d54a952ac01..53b855990bb 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -57,7 +57,6 @@ struct py_ldb_search_iterator_reply {
PyObject *obj;
};
-void initldb(void);
static PyObject *PyLdbMessage_FromMessage(struct ldb_message *msg, PyLdbObject
*pyldb);
static PyObject *PyExc_LdbError;
diff --git a/python/samba/gkdi.py b/python/samba/gkdi.py
index 22890c83ff3..6d29b5d8d2b 100644
--- a/python/samba/gkdi.py
+++ b/python/samba/gkdi.py
@@ -289,6 +289,12 @@ class Gkid:
return start_time
+ def previous(self) -> "Gkid":
+ return Gkid.from_nt_time(NtTime(self.start_nt_time() -
KEY_CYCLE_DURATION))
+
+ def next(self) -> "Gkid":
+ return Gkid.from_nt_time(NtTime(self.start_nt_time() +
KEY_CYCLE_DURATION))
+
@staticmethod
def from_key_envelope(env: gkdi.KeyEnvelope) -> "Gkid":
return Gkid(env.l0_index, env.l1_index, env.l2_index)
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index b831cf56250..eced40a6541 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -1557,6 +1557,13 @@ schemaUpdateNow: 1
dn = dsdb._dsdb_create_gkdi_root_key(self, *args, **kwargs)
return dn
+ def get_admin_sid(self):
+ res = self.search(
+ base="", expression="", scope=ldb.SCOPE_BASE,
attrs=["tokenGroups"])
+
+ return self.schema_format_value(
+ "tokenGroups", res[0]["tokenGroups"][0]).decode("utf8")
+
class dsdb_Dn(object):
"""a class for binary DN"""
diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py
index a382e8b7356..31139c0360f 100644
--- a/python/samba/tests/dckeytab.py
+++ b/python/samba/tests/dckeytab.py
@@ -55,7 +55,7 @@ class DCKeytabTests(TestCaseInTempDir):
principal = '/'.join(entry.principal.components) +
f"@{entry.principal.realm}"
enctype = entry.enctype
kvno = entry.key_version
- key = tuple(entry.key.data)
+ key = bytes(entry.key.data)
return (principal, enctype, kvno, key)
keytab = ndr_unpack(krb5ccache.KEYTAB, keytab_bytes)
@@ -67,7 +67,7 @@ class DCKeytabTests(TestCaseInTempDir):
keytab_as_set.add(entry_as_tuple)
keytab_bytes = keytab.further_entry
- while True:
+ while keytab_bytes:
multiple_entry = ndr_unpack(krb5ccache.MULTIPLE_KEYTAB_ENTRIES,
keytab_bytes)
entry = multiple_entry.entry
entry_as_tuple = entry_to_tuple(entry)
@@ -75,8 +75,6 @@ class DCKeytabTests(TestCaseInTempDir):
keytab_as_set.add(entry_as_tuple)
keytab_bytes = multiple_entry.further_entry
- if not keytab_bytes:
- break
return keytab_as_set
@@ -438,7 +436,7 @@ class DCKeytabTests(TestCaseInTempDir):
remote_keys = {}
while True:
- remote_keys[remote_keytab.entry.enctype] =
remote_keytab.entry.key.data
+ remote_keys[remote_keytab.entry.enctype] =
bytes(remote_keytab.entry.key.data)
keytab_bytes = remote_keytab.further_entry
if not keytab_bytes:
break
@@ -448,7 +446,7 @@ class DCKeytabTests(TestCaseInTempDir):
local_keys = {}
while True:
- local_keys[local_keytab.entry.enctype] =
local_keytab.entry.key.data
+ local_keys[local_keytab.entry.enctype] =
bytes(local_keytab.entry.key.data)
keytab_bytes = local_keytab.further_entry
if not keytab_bytes:
break
diff --git a/python/samba/tests/krb5/gmsa_tests.py
b/python/samba/tests/krb5/gmsa_tests.py
index 80529daf7d0..eff5a69f155 100755
--- a/python/samba/tests/krb5/gmsa_tests.py
+++ b/python/samba/tests/krb5/gmsa_tests.py
@@ -920,6 +920,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
res[0].get("supplementalCredentials", idx=0)
)
+ # Check that the NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
+
# Search for the managed password over LDAP, triggering an update of
the
# keys in the database.
res = samdb.search(dn, scope=ldb.SCOPE_BASE,
attrs=["msDS-ManagedPassword"])
@@ -950,6 +953,16 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
"supplementalCredentials has not been updated (yet)",
)
+ # Set the new password.
+ managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password)
+ self.assertIsNotNone(
+ managed_pwd.passwords.current, "current password must be present"
+ )
+ creds.set_utf16_password(managed_pwd.passwords.current)
+
+ # Check that the new NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), nt_hash)
+
def test_authentication_triggers_keys_update(self):
# Create a root key with a start time early enough to be usable at the
# time the gMSA is purported to be created. But don’t create it on a
@@ -984,6 +997,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
res[0].get("supplementalCredentials", idx=0)
)
+ # Check that the NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
+
# Calculate the password with which to authenticate.
managed_pwd = self.expected_current_gmsa_password_blob(
samdb, creds, future_key_is_acceptable=False
@@ -1021,6 +1037,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
"supplementalCredentials has not been updated (yet)",
)
+ # Check that the new NT hash is the value we expect.
+ self.assertEqual(creds.get_nt_hash(), nt_hash)
+
def test_gmsa_can_perform_gensec_ntlmssp_logon(self):
creds = self.gmsa_account(kerberos_enabled=False)
diff --git a/selftest/knownfail.d/gmsa b/selftest/knownfail.d/gmsa
deleted file mode 100644
index 7a126d6cc22..00000000000
--- a/selftest/knownfail.d/gmsa
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_gmsa
diff --git a/source4/auth/kerberos/srv_keytab.c
b/source4/auth/kerberos/srv_keytab.c
index 4d5306d9002..a2f0d172e02 100644
--- a/source4/auth/kerberos/srv_keytab.c
+++ b/source4/auth/kerberos/srv_keytab.c
@@ -350,7 +350,7 @@ NTSTATUS smb_krb5_fill_keytab_gmsa_keys(TALLOC_CTX *mem_ctx,
supported_enctypes = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
- ENC_HMAC_SHA1_96_AES256);
+ ENC_STRONG_SALTED_TYPES);
/*
* We trim this down to just the salted AES types, as the
* passwords are now wrong for rc4-hmac due to the mapping of
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index d12045d8e1c..099d10e7917 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -400,6 +400,7 @@ static NTSTATUS authsam_password_check_and_record(struct
auth4_context *auth_con
krb5_ret =
dsdb_extract_aes_256_key(smb_krb5_context->krb5_context,
tmp_ctx,
+ sam_ctx,
msg,
userAccountControl,
NULL, /* kvno */
@@ -551,6 +552,7 @@ static NTSTATUS authsam_password_check_and_record(struct
auth4_context *auth_con
krb5_ret =
dsdb_extract_aes_256_key(smb_krb5_context->krb5_context,
tmp_ctx,
+ sam_ctx,
msg,
userAccountControl,
&request_kvno, /*
kvno */
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c
b/source4/dsdb/samdb/ldb_modules/password_hash.c
index c352eb9f5dc..5783e67eddf 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -3164,6 +3164,7 @@ static int check_password_restrictions(struct
setup_password_fields_io *io, WERR
*/
krb5_ret =
dsdb_extract_aes_256_key(io->smb_krb5_context->krb5_context,
io->ac,
+ ldb,
io->ac->search_res->message,
io->u.userAccountControl,
&request_kvno, /* kvno */
@@ -4066,6 +4067,7 @@ static int setup_io(struct ph_context *ac,
*/
krb5_ret =
dsdb_extract_aes_256_key(io->smb_krb5_context->krb5_context,
io->ac,
+ ldb,
existing_msg,
io->u.userAccountControl,
NULL, /* kvno */
diff --git a/source4/dsdb/tests/python/unicodepwd_encrypted.py
b/source4/dsdb/tests/python/unicodepwd_encrypted.py
index c48f0aa624a..e6ec54650a1 100644
--- a/source4/dsdb/tests/python/unicodepwd_encrypted.py
+++ b/source4/dsdb/tests/python/unicodepwd_encrypted.py
@@ -6,7 +6,7 @@ import optparse
sys.path.insert(0, "bin/python")
import samba.getopt as options
from ldb import Message, MessageElement, Dn
-from ldb import LdbError, FLAG_MOD_REPLACE, ERR_UNWILLING_TO_PERFORM,
SCOPE_BASE
+from ldb import LdbError, FLAG_MOD_REPLACE, ERR_UNWILLING_TO_PERFORM
from samba import gensec
from samba.auth import system_session
from samba.samdb import SamDB
@@ -75,13 +75,6 @@ class UnicodePwdEncryptedConnectionTests(PasswordTestCase):
)
ldb.modify(m)
- def get_admin_sid(self, ldb):
- res = ldb.search(
- base="", expression="", scope=SCOPE_BASE, attrs=["tokenGroups"])
-
- return ldb.schema_format_value(
- "tokenGroups", res[0]["tokenGroups"][0]).decode("utf8")
-
def test_with_seal(self):
"""Test unicodePwd on connection with seal.
@@ -123,7 +116,7 @@ class UnicodePwdEncryptedConnectionTests(PasswordTestCase):
def test_simple_bind_plain(self):
"""Test unicodePwd using simple bind without encryption."""
- admin_sid = self.get_admin_sid(self.ldb)
+ admin_sid = self.ldb.get_admin_sid()
self.creds.set_bind_dn(admin_sid)
ldb = SamDB(url=host_ldap, credentials=self.creds, lp=lp)
@@ -140,7 +133,7 @@ class UnicodePwdEncryptedConnectionTests(PasswordTestCase):
def test_simple_bind_tls(self):
"""Test unicodePwd using simple bind with encryption."""
- admin_sid = self.get_admin_sid(self.ldb)
+ admin_sid = self.ldb.get_admin_sid()
self.creds.set_bind_dn(admin_sid)
ldb = SamDB(url=host_ldaps, credentials=self.creds, lp=lp)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 783602d8e00..1c00527d481 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -577,6 +577,7 @@ fail:
krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
TALLOC_CTX *mem_ctx,
+ struct ldb_context *ldb,
const struct ldb_message *msg,
bool is_krbtgt,
bool is_rodc,
@@ -611,6 +612,7 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context
context,
struct samba_kdc_user_keys older_keys = { .num_pkeys = 0, };
uint32_t available_enctypes = 0;
uint32_t supported_enctypes = supported_enctypes_in;
+ const bool exporting_keytab = flags & SDB_F_ADMIN_DATA;
*supported_enctypes_out = 0;
@@ -825,7 +827,7 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context
context,
if ((flags & SDB_F_GET_CLIENT) && (flags & SDB_F_FOR_AS_REQ)) {
include_history = true;
- } else if (flags & SDB_F_ADMIN_DATA) {
+ } else if (exporting_keytab) {
include_history = true;
}
@@ -1670,7 +1672,8 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
supported_session_etypes &= kdc_enctypes;
/* Get keys from the db */
- ret = samba_kdc_message2entry_keys(context, p, msg,
+ ret = samba_kdc_message2entry_keys(context, p,
+ kdc_db_ctx->samdb, msg,
is_krbtgt, is_rodc,
userAccountControl,
ent_type, flags, kvno, entry,
@@ -1696,7 +1699,8 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
(kdc_enctypes & ENC_RC4_HMAC_MD5) != 0)
{
supported_enctypes = ENC_RC4_HMAC_MD5;
- ret = samba_kdc_message2entry_keys(context, p, msg,
+ ret = samba_kdc_message2entry_keys(context, p,
+ kdc_db_ctx->samdb, msg,
is_krbtgt, is_rodc,
userAccountControl,
ent_type, flags, kvno, entry,
@@ -3790,6 +3794,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx,
struct samba_kdc_base_conte
krb5_error_code dsdb_extract_aes_256_key(krb5_context context,
TALLOC_CTX *mem_ctx,
+ struct ldb_context *ldb,
const struct ldb_message *msg,
uint32_t user_account_control,
const uint32_t *kvno,
@@ -3808,6 +3813,7 @@ krb5_error_code dsdb_extract_aes_256_key(krb5_context
context,
krb5_ret = samba_kdc_message2entry_keys(context,
mem_ctx,
+ ldb,
msg,
false, /* is_krbtgt */
false, /* is_rodc */
diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h
index fb74726b40c..1ac692eb820 100644
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -42,6 +42,7 @@ enum samba_kdc_ent_type {
*/
krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
TALLOC_CTX *mem_ctx,
+ struct ldb_context *ldb,
const struct ldb_message *msg,
bool is_krbtgt,
bool is_rodc,
@@ -105,6 +106,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct
samba_kdc_base_conte
krb5_error_code dsdb_extract_aes_256_key(krb5_context context,
TALLOC_CTX *mem_ctx,
+ struct ldb_context *ldb,
const struct ldb_message *msg,
uint32_t user_account_control,
const uint32_t *kvno,
--
Samba Shared Repository
