The branch, master has been updated via 73e3ffb8418 python:tests: Store keys as bytes rather than as lists of ints via 6f12cf958f8 python:tests: Rewrite condition of while loop via cb97e3f13df python:tests: Store keys as bytes rather than as tuples via 94e055b582e python:gkdi: Add helper methods returning previous and next GKIDs via 282e5784a03 s4:kdc: Add helper variable indicating whether we think we are performing a keytab export via 5a048ef0f81 s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() via 1889e0aea38 python: Move get_admin_sid() to SamDB via 786eab65cef s4:auth: Export AES128 gMSA keys along with AES256 keys by default via 103ca0276fb tests/krb5: Check that updated NT hashes of gMSAs have the values we expect via 1171589e355 ldb: Remove unnecessary declaration via 46955bc7664 lib:crypto: Fix Coverity build via 82224fca78c ctdb: Report errors from getline() via f9309c221b9 ctdb: Ensure ‘ret’ is always initialized from 1a02c6e59c1 WHATSNEW: document ldaps/tls related option changes
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 73e3ffb841842c748e0cda59ada0617dda035853 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed Apr 24 13:34:27 2024 +1200 python:tests: Store keys as bytes rather than as lists of ints Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Apr 24 06:20:58 UTC 2024 on atb-devel-224 commit 6f12cf958f8ed92c3373372760564d95adcdfb94 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed Apr 24 13:37:40 2024 +1200 python:tests: Rewrite condition of while loop Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cb97e3f13dfa8e8f7512639389aaccf93d53959a Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed Apr 24 13:36:28 2024 +1200 python:tests: Store keys as bytes rather than as tuples Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 94e055b582e3c4498b99d3997df3db614b3e94e8 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed Apr 24 12:42:40 2024 +1200 python:gkdi: Add helper methods returning previous and next GKIDs Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 282e5784a03add45dc662b27da6f2d29e1ab80cb Author: Jo Sutton <josut...@catalyst.net.nz> Date: Mon Apr 15 14:45:51 2024 +1200 s4:kdc: Add helper variable indicating whether we think we are performing a keytab export Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5a048ef0f81d4f212019a9687a726eb0bfd67227 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Mon Apr 15 14:39:45 2024 +1200 s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() This ldb context can be used to query the current gMSA time. Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1889e0aea389662a1e4111d7537f3c4e1c93d492 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Mon Apr 15 13:23:15 2024 +1200 python: Move get_admin_sid() to SamDB Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 786eab65cefac69dfd38646437720f33994f8f47 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Tue Apr 23 13:13:20 2024 +1200 s4:auth: Export AES128 gMSA keys along with AES256 keys by default This is what an existing test expects. Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 103ca0276fbda03592bfb4a460ba946218abfb16 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Mon Apr 22 10:53:30 2024 +1200 tests/krb5: Check that updated NT hashes of gMSAs have the values we expect Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1171589e355e55b5fa08ae7da0210ac9ca2c7107 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed Apr 24 12:31:36 2024 +1200 ldb: Remove unnecessary declaration This declaration is a hold‐over from the Python 2 module initialization pattern. Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 46955bc7664b8cf665c9bccf3b88d4afa26b9526 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Mon Apr 22 11:10:00 2024 +1200 lib:crypto: Fix Coverity build The Coverity build is failing with the following errors: [1936/5164] Compiling lib/crypto/gkdi.c In file included from /usr/lib64/gcc/x86_64-suse-linux/7/include/stdint.h:9:0, from /usr/include/inttypes.h:27, from ../../lib/crypto/../replace/replace.h:64, from ../../source4/include/includes.h:23, from ../../lib/crypto/gkdi.c:21: ../../lib/crypto/gkdi.c: In function ‘gkdi_get_key_start_time’: ../../lib/crypto/gkdi.c:197:4: error: initializer element is not constant UINT64_MAX / ^ ../../lib/crypto/gkdi.c:197:4: note: (near initialization for ‘max_gkid.l0_idx’) ../../lib/crypto/gkdi.c:200:4: error: initializer element is not constant UINT64_MAX / ^ ../../lib/crypto/gkdi.c:200:4: note: (near initialization for ‘max_gkid.l1_idx’) ../../lib/crypto/gkdi.c:204:4: error: initializer element is not constant UINT64_MAX / gkdi_key_cycle_duration % ^ ../../lib/crypto/gkdi.c:204:4: note: (near initialization for ‘max_gkid.l2_idx’) Fix the build by removing the ‘static’ specifier on this constant. Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 82224fca78c4de1f9ae8524eb14dd0478641779c Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed Apr 24 14:26:20 2024 +1200 ctdb: Report errors from getline() Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Martin Schwenke <mar...@meltin.net> commit f9309c221b9e918462c3c4ac8a71a4dc288a35fc Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed Apr 24 14:26:35 2024 +1200 ctdb: Ensure ‘ret’ is always initialized This avoids a compilation error: ../../ctdb/protocol/protocol_util.c: In function ‘ctdb_connection_list_read’: ../../ctdb/protocol/protocol_util.c:787:9: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 787 | return ret; | ^~~ Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Martin Schwenke <mar...@meltin.net> ----------------------------------------------------------------------- Summary of changes: ctdb/protocol/protocol_util.c | 14 +++++++++++--- lib/crypto/gkdi.c | 2 +- lib/ldb/pyldb.c | 1 - python/samba/gkdi.py | 6 ++++++ python/samba/samdb.py | 7 +++++++ python/samba/tests/dckeytab.py | 10 ++++------ python/samba/tests/krb5/gmsa_tests.py | 19 +++++++++++++++++++ selftest/knownfail.d/gmsa | 1 - source4/auth/kerberos/srv_keytab.c | 2 +- source4/auth/ntlm/auth_sam.c | 2 ++ source4/dsdb/samdb/ldb_modules/password_hash.c | 2 ++ source4/dsdb/tests/python/unicodepwd_encrypted.py | 13 +++---------- source4/kdc/db-glue.c | 12 +++++++++--- source4/kdc/db-glue.h | 2 ++ 14 files changed, 67 insertions(+), 26 deletions(-) delete mode 100644 selftest/knownfail.d/gmsa Changeset truncated at 500 lines: diff --git a/ctdb/protocol/protocol_util.c b/ctdb/protocol/protocol_util.c index 25e668b73ee..5e48c1513bc 100644 --- a/ctdb/protocol/protocol_util.c +++ b/ctdb/protocol/protocol_util.c @@ -749,9 +749,8 @@ int ctdb_connection_list_read(TALLOC_CTX *mem_ctx, struct ctdb_connection_list_read_state state; char *line = NULL; FILE *f = NULL; - int ret; + int ret = 0; size_t len = 0; - ssize_t nread; if (conn_list == NULL) { return EINVAL; @@ -769,7 +768,16 @@ int ctdb_connection_list_read(TALLOC_CTX *mem_ctx, return errno; } - while ((nread = getline(&line, &len, f)) != -1) { + for (;;) { + ssize_t nread = getline(&line, &len, f); + if (nread == -1) { + if (!feof(f)) { + /* real error */ + ret = errno; + } + break; + } + if ((nread > 0) && (line[nread-1] == '\n')) { line[nread-1] = '\0'; } diff --git a/lib/crypto/gkdi.c b/lib/crypto/gkdi.c index af00ea4217e..ae269d64a3e 100644 --- a/lib/crypto/gkdi.c +++ b/lib/crypto/gkdi.c @@ -193,7 +193,7 @@ bool gkdi_get_key_start_time(const struct Gkid gkid, NTTIME *start_time_out) * Make sure that the GKID is not so large its start time can’t * be represented in NTTIME. */ - static const struct Gkid max_gkid = { + const struct Gkid max_gkid = { UINT64_MAX / (gkdi_l1_key_iteration * gkdi_l2_key_iteration * gkdi_key_cycle_duration), diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index d54a952ac01..53b855990bb 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -57,7 +57,6 @@ struct py_ldb_search_iterator_reply { PyObject *obj; }; -void initldb(void); static PyObject *PyLdbMessage_FromMessage(struct ldb_message *msg, PyLdbObject *pyldb); static PyObject *PyExc_LdbError; diff --git a/python/samba/gkdi.py b/python/samba/gkdi.py index 22890c83ff3..6d29b5d8d2b 100644 --- a/python/samba/gkdi.py +++ b/python/samba/gkdi.py @@ -289,6 +289,12 @@ class Gkid: return start_time + def previous(self) -> "Gkid": + return Gkid.from_nt_time(NtTime(self.start_nt_time() - KEY_CYCLE_DURATION)) + + def next(self) -> "Gkid": + return Gkid.from_nt_time(NtTime(self.start_nt_time() + KEY_CYCLE_DURATION)) + @staticmethod def from_key_envelope(env: gkdi.KeyEnvelope) -> "Gkid": return Gkid(env.l0_index, env.l1_index, env.l2_index) diff --git a/python/samba/samdb.py b/python/samba/samdb.py index b831cf56250..eced40a6541 100644 --- a/python/samba/samdb.py +++ b/python/samba/samdb.py @@ -1557,6 +1557,13 @@ schemaUpdateNow: 1 dn = dsdb._dsdb_create_gkdi_root_key(self, *args, **kwargs) return dn + def get_admin_sid(self): + res = self.search( + base="", expression="", scope=ldb.SCOPE_BASE, attrs=["tokenGroups"]) + + return self.schema_format_value( + "tokenGroups", res[0]["tokenGroups"][0]).decode("utf8") + class dsdb_Dn(object): """a class for binary DN""" diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py index a382e8b7356..31139c0360f 100644 --- a/python/samba/tests/dckeytab.py +++ b/python/samba/tests/dckeytab.py @@ -55,7 +55,7 @@ class DCKeytabTests(TestCaseInTempDir): principal = '/'.join(entry.principal.components) + f"@{entry.principal.realm}" enctype = entry.enctype kvno = entry.key_version - key = tuple(entry.key.data) + key = bytes(entry.key.data) return (principal, enctype, kvno, key) keytab = ndr_unpack(krb5ccache.KEYTAB, keytab_bytes) @@ -67,7 +67,7 @@ class DCKeytabTests(TestCaseInTempDir): keytab_as_set.add(entry_as_tuple) keytab_bytes = keytab.further_entry - while True: + while keytab_bytes: multiple_entry = ndr_unpack(krb5ccache.MULTIPLE_KEYTAB_ENTRIES, keytab_bytes) entry = multiple_entry.entry entry_as_tuple = entry_to_tuple(entry) @@ -75,8 +75,6 @@ class DCKeytabTests(TestCaseInTempDir): keytab_as_set.add(entry_as_tuple) keytab_bytes = multiple_entry.further_entry - if not keytab_bytes: - break return keytab_as_set @@ -438,7 +436,7 @@ class DCKeytabTests(TestCaseInTempDir): remote_keys = {} while True: - remote_keys[remote_keytab.entry.enctype] = remote_keytab.entry.key.data + remote_keys[remote_keytab.entry.enctype] = bytes(remote_keytab.entry.key.data) keytab_bytes = remote_keytab.further_entry if not keytab_bytes: break @@ -448,7 +446,7 @@ class DCKeytabTests(TestCaseInTempDir): local_keys = {} while True: - local_keys[local_keytab.entry.enctype] = local_keytab.entry.key.data + local_keys[local_keytab.entry.enctype] = bytes(local_keytab.entry.key.data) keytab_bytes = local_keytab.further_entry if not keytab_bytes: break diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py index 80529daf7d0..eff5a69f155 100755 --- a/python/samba/tests/krb5/gmsa_tests.py +++ b/python/samba/tests/krb5/gmsa_tests.py @@ -920,6 +920,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest): res[0].get("supplementalCredentials", idx=0) ) + # Check that the NT hash is the value we expect. + self.assertEqual(creds.get_nt_hash(), previous_nt_hash) + # Search for the managed password over LDAP, triggering an update of the # keys in the database. res = samdb.search(dn, scope=ldb.SCOPE_BASE, attrs=["msDS-ManagedPassword"]) @@ -950,6 +953,16 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest): "supplementalCredentials has not been updated (yet)", ) + # Set the new password. + managed_pwd = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, managed_password) + self.assertIsNotNone( + managed_pwd.passwords.current, "current password must be present" + ) + creds.set_utf16_password(managed_pwd.passwords.current) + + # Check that the new NT hash is the value we expect. + self.assertEqual(creds.get_nt_hash(), nt_hash) + def test_authentication_triggers_keys_update(self): # Create a root key with a start time early enough to be usable at the # time the gMSA is purported to be created. But don’t create it on a @@ -984,6 +997,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest): res[0].get("supplementalCredentials", idx=0) ) + # Check that the NT hash is the value we expect. + self.assertEqual(creds.get_nt_hash(), previous_nt_hash) + # Calculate the password with which to authenticate. managed_pwd = self.expected_current_gmsa_password_blob( samdb, creds, future_key_is_acceptable=False @@ -1021,6 +1037,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest): "supplementalCredentials has not been updated (yet)", ) + # Check that the new NT hash is the value we expect. + self.assertEqual(creds.get_nt_hash(), nt_hash) + def test_gmsa_can_perform_gensec_ntlmssp_logon(self): creds = self.gmsa_account(kerberos_enabled=False) diff --git a/selftest/knownfail.d/gmsa b/selftest/knownfail.d/gmsa deleted file mode 100644 index 7a126d6cc22..00000000000 --- a/selftest/knownfail.d/gmsa +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.dckeytab.samba.tests.dckeytab.DCKeytabTests.test_export_keytab_gmsa diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c index 4d5306d9002..a2f0d172e02 100644 --- a/source4/auth/kerberos/srv_keytab.c +++ b/source4/auth/kerberos/srv_keytab.c @@ -350,7 +350,7 @@ NTSTATUS smb_krb5_fill_keytab_gmsa_keys(TALLOC_CTX *mem_ctx, supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", - ENC_HMAC_SHA1_96_AES256); + ENC_STRONG_SALTED_TYPES); /* * We trim this down to just the salted AES types, as the * passwords are now wrong for rc4-hmac due to the mapping of diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index d12045d8e1c..099d10e7917 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -400,6 +400,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con krb5_ret = dsdb_extract_aes_256_key(smb_krb5_context->krb5_context, tmp_ctx, + sam_ctx, msg, userAccountControl, NULL, /* kvno */ @@ -551,6 +552,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con krb5_ret = dsdb_extract_aes_256_key(smb_krb5_context->krb5_context, tmp_ctx, + sam_ctx, msg, userAccountControl, &request_kvno, /* kvno */ diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index c352eb9f5dc..5783e67eddf 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -3164,6 +3164,7 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR */ krb5_ret = dsdb_extract_aes_256_key(io->smb_krb5_context->krb5_context, io->ac, + ldb, io->ac->search_res->message, io->u.userAccountControl, &request_kvno, /* kvno */ @@ -4066,6 +4067,7 @@ static int setup_io(struct ph_context *ac, */ krb5_ret = dsdb_extract_aes_256_key(io->smb_krb5_context->krb5_context, io->ac, + ldb, existing_msg, io->u.userAccountControl, NULL, /* kvno */ diff --git a/source4/dsdb/tests/python/unicodepwd_encrypted.py b/source4/dsdb/tests/python/unicodepwd_encrypted.py index c48f0aa624a..e6ec54650a1 100644 --- a/source4/dsdb/tests/python/unicodepwd_encrypted.py +++ b/source4/dsdb/tests/python/unicodepwd_encrypted.py @@ -6,7 +6,7 @@ import optparse sys.path.insert(0, "bin/python") import samba.getopt as options from ldb import Message, MessageElement, Dn -from ldb import LdbError, FLAG_MOD_REPLACE, ERR_UNWILLING_TO_PERFORM, SCOPE_BASE +from ldb import LdbError, FLAG_MOD_REPLACE, ERR_UNWILLING_TO_PERFORM from samba import gensec from samba.auth import system_session from samba.samdb import SamDB @@ -75,13 +75,6 @@ class UnicodePwdEncryptedConnectionTests(PasswordTestCase): ) ldb.modify(m) - def get_admin_sid(self, ldb): - res = ldb.search( - base="", expression="", scope=SCOPE_BASE, attrs=["tokenGroups"]) - - return ldb.schema_format_value( - "tokenGroups", res[0]["tokenGroups"][0]).decode("utf8") - def test_with_seal(self): """Test unicodePwd on connection with seal. @@ -123,7 +116,7 @@ class UnicodePwdEncryptedConnectionTests(PasswordTestCase): def test_simple_bind_plain(self): """Test unicodePwd using simple bind without encryption.""" - admin_sid = self.get_admin_sid(self.ldb) + admin_sid = self.ldb.get_admin_sid() self.creds.set_bind_dn(admin_sid) ldb = SamDB(url=host_ldap, credentials=self.creds, lp=lp) @@ -140,7 +133,7 @@ class UnicodePwdEncryptedConnectionTests(PasswordTestCase): def test_simple_bind_tls(self): """Test unicodePwd using simple bind with encryption.""" - admin_sid = self.get_admin_sid(self.ldb) + admin_sid = self.ldb.get_admin_sid() self.creds.set_bind_dn(admin_sid) ldb = SamDB(url=host_ldaps, credentials=self.creds, lp=lp) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 783602d8e00..1c00527d481 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -577,6 +577,7 @@ fail: krb5_error_code samba_kdc_message2entry_keys(krb5_context context, TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, const struct ldb_message *msg, bool is_krbtgt, bool is_rodc, @@ -611,6 +612,7 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct samba_kdc_user_keys older_keys = { .num_pkeys = 0, }; uint32_t available_enctypes = 0; uint32_t supported_enctypes = supported_enctypes_in; + const bool exporting_keytab = flags & SDB_F_ADMIN_DATA; *supported_enctypes_out = 0; @@ -825,7 +827,7 @@ krb5_error_code samba_kdc_message2entry_keys(krb5_context context, if ((flags & SDB_F_GET_CLIENT) && (flags & SDB_F_FOR_AS_REQ)) { include_history = true; - } else if (flags & SDB_F_ADMIN_DATA) { + } else if (exporting_keytab) { include_history = true; } @@ -1670,7 +1672,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, supported_session_etypes &= kdc_enctypes; /* Get keys from the db */ - ret = samba_kdc_message2entry_keys(context, p, msg, + ret = samba_kdc_message2entry_keys(context, p, + kdc_db_ctx->samdb, msg, is_krbtgt, is_rodc, userAccountControl, ent_type, flags, kvno, entry, @@ -1696,7 +1699,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, (kdc_enctypes & ENC_RC4_HMAC_MD5) != 0) { supported_enctypes = ENC_RC4_HMAC_MD5; - ret = samba_kdc_message2entry_keys(context, p, msg, + ret = samba_kdc_message2entry_keys(context, p, + kdc_db_ctx->samdb, msg, is_krbtgt, is_rodc, userAccountControl, ent_type, flags, kvno, entry, @@ -3790,6 +3794,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte krb5_error_code dsdb_extract_aes_256_key(krb5_context context, TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, const struct ldb_message *msg, uint32_t user_account_control, const uint32_t *kvno, @@ -3808,6 +3813,7 @@ krb5_error_code dsdb_extract_aes_256_key(krb5_context context, krb5_ret = samba_kdc_message2entry_keys(context, mem_ctx, + ldb, msg, false, /* is_krbtgt */ false, /* is_rodc */ diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h index fb74726b40c..1ac692eb820 100644 --- a/source4/kdc/db-glue.h +++ b/source4/kdc/db-glue.h @@ -42,6 +42,7 @@ enum samba_kdc_ent_type { */ krb5_error_code samba_kdc_message2entry_keys(krb5_context context, TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, const struct ldb_message *msg, bool is_krbtgt, bool is_rodc, @@ -105,6 +106,7 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte krb5_error_code dsdb_extract_aes_256_key(krb5_context context, TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, const struct ldb_message *msg, uint32_t user_account_control, const uint32_t *kvno, -- Samba Shared Repository