The branch, master has been updated
via ba87122e9c0 docs-xml: Document SID extension certificate mappings
via 15285bc2b26 s4:kdc: Implement Object SID certificate security
extension
via 4e1206958d3 third_party/heimdal: Import
lorikeet-heimdal-202510122217 (commit c2d91bdde528ba018da27b88baa22b46f323f659)
via 4dc12177c51 s4:kdc: Don’t leak pub_keys.keys
via dab9b41bf7f s4:kdc: Move talloc_steal() back to function end
via b68d5bbb5ad s4:kdc: Correct debug messages
via c6b73f88fae s4:kdc: Correct comments
via d16fb8af463 tests/krb5: Add tests for the Object SID certificate
security extension
via 0334d44c30f tests/krb5: Remove unused imports
via a9f44efab37 tests/krb5: Remove unused method
via 5af7944e7b0 docs-xml: Correct documentation
via f83aad7cc88 s4:kdc: Correct spelling
from 6fb379ef8b3 s3:passdb: Fix memory leak in pdb_default_del_groupmem()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ba87122e9c0b1cc3332a21e20ce944bb842ed9b5
Author: Jennifer Sutton <[email protected]>
Date: Tue Oct 14 17:05:20 2025 +1300
docs-xml: Document SID extension certificate mappings
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
Autobuild-User(master): Jennifer Sutton <[email protected]>
Autobuild-Date(master): Thu Oct 23 01:03:36 UTC 2025 on atb-devel-224
commit 15285bc2b268d65ff6dca3849e8da4e69da03ab5
Author: Jennifer Sutton <[email protected]>
Date: Mon Aug 25 12:40:09 2025 +1200
s4:kdc: Implement Object SID certificate security extension
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit 4e1206958d3f95bd0c200e497498f7578e9c7f4d
Author: Jennifer Sutton <[email protected]>
Date: Mon Oct 13 11:25:48 2025 +1300
third_party/heimdal: Import lorikeet-heimdal-202510122217 (commit
c2d91bdde528ba018da27b88baa22b46f323f659)
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit 4dc12177c515e63036ebf87b87ff2ebcf2b65bc0
Author: Jennifer Sutton <[email protected]>
Date: Thu Oct 9 17:09:40 2025 +1300
s4:kdc: Don’t leak pub_keys.keys
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit dab9b41bf7f896a1198a1df4de7ee9172e849213
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 15:14:00 2025 +1300
s4:kdc: Move talloc_steal() back to function end
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit b68d5bbb5adb380467be12bbad1cad58be53e53f
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 15:12:19 2025 +1300
s4:kdc: Correct debug messages
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit c6b73f88faeba0475ce7831fbba2fe303d91ef50
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 15:11:36 2025 +1300
s4:kdc: Correct comments
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit d16fb8af463a660ce8a42f6d1e7711331812e027
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 14:31:30 2025 +1300
tests/krb5: Add tests for the Object SID certificate security extension
View with ‘git show -b’.
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit 0334d44c30f1289054b34e64faecad7175577ce0
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 14:29:51 2025 +1300
tests/krb5: Remove unused imports
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit a9f44efab376e2d8e8ccf203db0cbf303508681d
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 14:30:24 2025 +1300
tests/krb5: Remove unused method
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit 5af7944e7b06887d11f5dd9ef5af4aed797f8c3b
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 14:24:59 2025 +1300
docs-xml: Correct documentation
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
commit f83aad7cc88d52c41f03c9fdb10c923231ee2512
Author: Jennifer Sutton <[email protected]>
Date: Fri Oct 3 14:17:42 2025 +1300
s4:kdc: Correct spelling
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Gary Lockyer <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/kdccertbackdating.xml | 4 +-
.../security/kdccertbindingenforcement.xml | 12 +-
.../tests/krb5/pkinit_certificate_mapping_tests.py | 272 ++++++++-------------
source4/kdc/db-glue.c | 43 ++--
source4/kdc/sdb.h | 5 +-
source4/kdc/sdb_to_hdb.c | 39 +++
.../.github/workflows/linux-mit-interop.yml | 6 +-
third_party/heimdal/.github/workflows/linux.yml | 6 +-
third_party/heimdal/.github/workflows/osx.yml | 4 +-
.../heimdal/.github/workflows/scanbuild.yml | 2 +-
third_party/heimdal/.github/workflows/ubsan.yml | 2 +-
third_party/heimdal/.github/workflows/valgrind.yml | 2 +-
third_party/heimdal/.github/workflows/windows.yml | 2 +-
third_party/heimdal/appl/test/Makefile.am | 2 +
third_party/heimdal/cf/largefile.m4 | 16 +-
third_party/heimdal/doc/copyright.texi | 27 +-
third_party/heimdal/kdc/pkinit.c | 158 +++++++-----
third_party/heimdal/lib/asn1/krb5.asn1 | 3 +-
third_party/heimdal/lib/asn1/rfc2459.asn1 | 20 ++
third_party/heimdal/lib/hdb/hdb.asn1 | 4 +-
third_party/heimdal/lib/hdb/hdb.h | 2 +-
third_party/heimdal/lib/hx509/cert.c | 95 ++++++-
third_party/heimdal/lib/hx509/cms.c | 2 +-
third_party/heimdal/lib/hx509/version-script.map | 1 +
24 files changed, 438 insertions(+), 291 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/kdccertbackdating.xml
b/docs-xml/smbdotconf/security/kdccertbackdating.xml
index 11926a164bb..8dcd6cc977b 100644
--- a/docs-xml/smbdotconf/security/kdccertbackdating.xml
+++ b/docs-xml/smbdotconf/security/kdccertbackdating.xml
@@ -11,8 +11,8 @@
</smbconfoption>
</para>
<para>
- This parameter specifies number of minutes that a certificate's issue
- date may precede the creation of a users account.
+ This parameter specifies the number of minutes that a certificate's
issue
+ date may precede the creation of a user's account.
</para>
<para>More details can be found at
diff --git a/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml
b/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml
index fa1fab40ee8..d347e8cdb2c 100644
--- a/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml
+++ b/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml
@@ -35,7 +35,7 @@
<constant>Unless</constant>
<smbconfoption name="certificate backdating compensation"/>
has a value. In that case the certificate may have been
- issued no more that number of minutes before the user
+ issued no more than that number of minutes before the user
was created.
</para>
</listitem>
@@ -59,7 +59,7 @@
<para>Example:
"X509:<I>IssuerName<S>SubjectName"</para>
<para>
The values provided for the issuer name and subject name
- must match those in the users certificate exactly.
+ must match those in the user's certificate exactly.
</para>
<para><emphasis>WEAK</emphasis></para>
</listitem>
@@ -68,7 +68,7 @@
<para>Example: "X509:<S>SubjectName"</para>
<para>
The value provided for the issuer subject name
- must match that in the users certificate exactly.
+ must match that in the user's certificate exactly.
</para>
<para><emphasis>WEAK</emphasis></para>
</listitem>
@@ -97,11 +97,15 @@
<para>X509 public key SHA1 </para>
<para>Example: "X509:<SHA1-PUKEY>1234567890abcdef"</para>
<para>
- The SHA1 hash of the certificates public key
+ The SHA1 hash of the certificate's public key
</para>
<para><emphasis>STRONG</emphasis></para>
</listitem>
</itemizedlist>
+
+ Certificate mappings may also take the form of a certificate extension
+ (extension 1.3.6.1.4.1.311.25.2) that contains the user's SID. This is
+ considered a <emphasis>STRONG</emphasis> mapping.
</para>
</description>
diff --git a/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
b/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
index 3116c59cc6d..99cc23b66ec 100755
--- a/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
+++ b/python/samba/tests/krb5/pkinit_certificate_mapping_tests.py
@@ -52,11 +52,8 @@ from samba.tests.krb5.raw_testcase import PkInit,
RawKerberosTest
from samba.tests.krb5.rfc4120_constants import (
DES_EDE3_CBC,
KDC_ERR_CERTIFICATE_MISMATCH,
- KU_PA_ENC_TIMESTAMP,
NT_PRINCIPAL,
NT_SRV_INST,
- PADATA_AS_FRESHNESS,
- PADATA_ENC_TIMESTAMP,
PADATA_PK_AS_REP_19,
PADATA_PK_AS_REQ,
)
@@ -454,6 +451,62 @@ class PkInitCertificateMappingTests(KDCBaseTest):
expect_error=self.STRONG_EXPECTED_RESULT,
)
+ def test_object_sid(self):
+ """
+ Test PKINIT logon with a user account and a strong object SID mapping
+ """
+
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+ ca_cert, ca_private_key = self.get_ca_cert_and_private_key()
+
+ # Create a certificate for the client signed by the CA which includes
+ # the object SID.
+ certificate = self.create_certificate(
+ client_creds,
+ ca_cert,
+ ca_private_key,
+ None,
+ [],
+ object_sid=client_creds.get_sid(),
+ )
+
+ self._pkinit_req(
+ client_creds,
+ target_creds,
+ certificate=certificate,
+ expect_error=self.STRONG_EXPECTED_RESULT,
+ )
+
+ def test_mismatched_object_sid(self):
+ """
+ Test PKINIT logon with a user account and a mismatched object SID
+ mapping
+ """
+
+ client_creds = self._get_creds()
+ target_creds = self.get_service_creds()
+ ca_cert, ca_private_key = self.get_ca_cert_and_private_key()
+
+ # Create a certificate for the client signed by the CA which includes
+ # the object SID.
+ certificate = self.create_certificate(
+ client_creds,
+ ca_cert,
+ ca_private_key,
+ None,
+ [],
+ object_sid=target_creds.get_sid(),
+ )
+
+ self._pkinit_req(
+ client_creds,
+ target_creds,
+ certificate=certificate,
+ # We choose to treat the mapping as if it does not exist.
+ expect_error=self.NONE_EXPECTED_RESULT,
+ )
+
def _rfc4514_string(self, name):
"""
Convert an X509 name to it's RFC 4514 form, however we need
@@ -496,139 +549,6 @@ class PkInitCertificateMappingTests(KDCBaseTest):
account_type=account_type, opts=opts, use_cache=use_cache
)
- def _as_req(
- self,
- creds,
- target_creds,
- *,
- expect_error=0,
- expect_status=False,
- expected_status=None,
- expect_edata=False,
- etypes=None,
- freshness=None,
- send_enc_ts=False,
- ):
- if send_enc_ts:
- if creds.get_password() is None:
- # Try the NT hash if there isn't a password
- preauth_key = self.PasswordKey_from_creds(creds,
kcrypto.Enctype.RC4)
- else:
- preauth_key = self.PasswordKey_from_creds(creds,
kcrypto.Enctype.AES256)
- else:
- preauth_key = None
-
- if freshness is not None or send_enc_ts:
-
- def generate_padata_fn(_kdc_exchange_dict, _callback_dict,
req_body):
- padata = []
-
- if freshness is not None:
- freshness_padata = self.PA_DATA_create(
- PADATA_AS_FRESHNESS, freshness
- )
- padata.append(freshness_padata)
-
- if send_enc_ts:
- patime, pausec = self.get_KerberosTimeWithUsec()
- enc_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
- enc_ts = self.der_encode(enc_ts,
asn1Spec=krb5_asn1.PA_ENC_TS_ENC())
-
- enc_ts = self.EncryptedData_create(
- preauth_key, KU_PA_ENC_TIMESTAMP, enc_ts
- )
- enc_ts = self.der_encode(enc_ts,
asn1Spec=krb5_asn1.EncryptedData())
-
- enc_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, enc_ts)
-
- padata.append(enc_ts)
-
- return padata, req_body
- else:
- generate_padata_fn = None
-
- user_name = creds.get_username()
- cname = self.PrincipalName_create(
- name_type=NT_PRINCIPAL, names=user_name.split("/")
- )
-
- target_name = target_creds.get_username()
- target_realm = target_creds.get_realm()
-
- if target_name == "krbtgt":
- sname = self.PrincipalName_create(
- name_type=NT_SRV_INST, names=["krbtgt", target_realm]
- )
- else:
- sname = self.PrincipalName_create(
- name_type=NT_PRINCIPAL, names=["host", target_name[:-1]]
- )
-
- if expect_error:
- check_error_fn = self.generic_check_kdc_error
- check_rep_fn = None
-
- expected_sname = sname
- else:
- check_error_fn = None
- check_rep_fn = self.generic_check_kdc_rep
-
- if target_name == "krbtgt":
- expected_sname = sname
- else:
- expected_sname = self.PrincipalName_create(
- name_type=NT_PRINCIPAL, names=[target_name]
- )
-
- kdc_options = "forwardable,renewable,canonicalize,renewable-ok"
- kdc_options = krb5_asn1.KDCOptions(kdc_options)
-
- ticket_decryption_key =
self.TicketDecryptionKey_from_creds(target_creds)
-
- kdc_exchange_dict = self.as_exchange_dict(
- creds=creds,
- expected_crealm=creds.get_realm(),
- expected_cname=cname,
- expected_srealm=target_realm,
- expected_sname=expected_sname,
- expected_supported_etypes=target_creds.tgs_supported_enctypes,
- ticket_decryption_key=ticket_decryption_key,
- generate_padata_fn=generate_padata_fn,
- check_error_fn=check_error_fn,
- check_rep_fn=check_rep_fn,
- check_kdc_private_fn=self.generic_check_kdc_private,
- expected_error_mode=expect_error,
- expected_salt=creds.get_salt(),
- preauth_key=preauth_key,
- kdc_options=str(kdc_options),
- expect_edata=expect_edata,
- expect_status=expect_status,
- expected_status=expected_status,
- )
-
- till = self.get_KerberosTime(offset=36000)
-
- if etypes is None:
- etypes = (
- kcrypto.Enctype.AES256,
- kcrypto.Enctype.RC4,
- )
-
- rep = self._generic_kdc_exchange(
- kdc_exchange_dict,
- cname=cname,
- realm=target_realm,
- sname=sname,
- till_time=till,
- etypes=etypes,
- )
- if expect_error:
- self.check_error_rep(rep, expect_error)
- else:
- self.check_as_reply(rep)
-
- return kdc_exchange_dict
-
def get_ca_cert_and_private_key(self):
# The password with which to try to encrypt the certificate or private
# key specified on the command line.
@@ -676,6 +596,7 @@ class PkInitCertificateMappingTests(KDCBaseTest):
certificate_signature=None,
san=[],
notBefore=None,
+ object_sid=None,
):
if certificate_signature is None:
certificate_signature = hashes.SHA256
@@ -773,49 +694,56 @@ class PkInitCertificateMappingTests(KDCBaseTest):
critical=False,
)
- # If the certificate predates (as ours does) the existence of the
- # account that presents it Windows will refuse to accept it unless
- # there exists a strong mapping from one to the other. This strong
- # mapping will in this case take the form of a certificate extension
- # described in [MS-WCCE] 2.2.2.7.7.4 (szOID_NTDS_CA_SECURITY_EXT) and
- # containing the account’s SID.
+ if object_sid is not None:
+ # If the certificate predates (as ours does) the existence of the
+ # account that presents it Windows will refuse to accept it unless
+ # there exists a strong mapping from one to the other. This strong
+ # mapping will in this case take the form of a certificate
extension
+ # described in [MS-WCCE] 2.2.2.7.7.4 (szOID_NTDS_CA_SECURITY_EXT)
and
+ # containing the account’s SID.
- # Encode this structure manually until we are able to produce the same
- # ASN.1 encoding that Windows does.
+ # Encode this structure manually until we are able to produce the
same
+ # ASN.1 encoding that Windows does.
- encoded_sid = creds.get_sid().encode("utf-8")
+ encoded_sid = object_sid.encode("utf-8")
- # The OCTET STRING tag, followed by length and encoded SID…
- security_ext = bytes([0x04]) + self.asn1_length(encoded_sid) +
(encoded_sid)
+ # The OCTET STRING tag, followed by length and encoded SID…
+ security_ext = bytes([0x04]) + self.asn1_length(encoded_sid) +
(encoded_sid)
- # …enclosed in a construct tagged with the application-specific value
- # 0…
- security_ext = bytes([0xA0]) + self.asn1_length(security_ext) +
(security_ext)
-
- # …preceded by the extension OID…
- encoded_oid = self.der_encode(
- krb5_asn1.szOID_NTDS_OBJECTSID, univ.ObjectIdentifier()
- )
- security_ext = encoded_oid + security_ext
+ # …enclosed in a construct tagged with the application-specific
value
+ # 0…
+ security_ext = (
+ bytes([0xA0]) + self.asn1_length(security_ext) + (security_ext)
+ )
- # …and another application-specific tag 0…
- # (This is the part about which I’m unsure. This length is not just of
- # the OID, but of the entire structure so far, as if there’s some
- # nesting going on. So far I haven’t been able to replicate this with
- # pyasn1.)
- security_ext = bytes([0xA0]) + self.asn1_length(security_ext) +
(security_ext)
+ # …preceded by the extension OID…
+ encoded_oid = self.der_encode(
+ krb5_asn1.szOID_NTDS_OBJECTSID, univ.ObjectIdentifier()
+ )
+ security_ext = encoded_oid + security_ext
+
+ # …and another application-specific tag 0…
+ # (This is the part about which I’m unsure. This length is not
just of
+ # the OID, but of the entire structure so far, as if there’s some
+ # nesting going on. So far I haven’t been able to replicate this
with
+ # pyasn1.)
+ security_ext = (
+ bytes([0xA0]) + self.asn1_length(security_ext) + (security_ext)
+ )
- # …all enclosed in a structure with a SEQUENCE tag.
- security_ext = bytes([0x30]) + self.asn1_length(security_ext) +
(security_ext)
+ # …all enclosed in a structure with a SEQUENCE tag.
+ security_ext = (
+ bytes([0x30]) + self.asn1_length(security_ext) + (security_ext)
+ )
- # Add the security extension to the certificate.
- builder = builder.add_extension(
- x509.UnrecognizedExtension(
-
x509.ObjectIdentifier(str(krb5_asn1.szOID_NTDS_CA_SECURITY_EXT)),
- security_ext,
- ),
- critical=False,
- )
+ # Add the security extension to the certificate.
+ builder = builder.add_extension(
+ x509.UnrecognizedExtension(
+
x509.ObjectIdentifier(str(krb5_asn1.szOID_NTDS_CA_SECURITY_EXT)),
+ security_ext,
+ ),
+ critical=False,
+ )
# Sign the certificate with the CA’s private key. Windows accepts both
# SHA1 and SHA256 hashes.
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index c7dc01fb812..aa3418c48db 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1200,7 +1200,7 @@ static krb5_error_code samba_kdc_get_entry_principal(
* @return 0 No error
* ENOMEM memory allocation error
*
- * @note Memory is allocated, with malloc and needs to be freed
+ * @note Memory is allocated with malloc and needs to be freed
*/
static krb5_error_code data_blob_to_krb5_data( DATA_BLOB *blob, krb5_data
*krb5)
{
@@ -1225,7 +1225,7 @@ static krb5_error_code data_blob_to_krb5_data( DATA_BLOB
*blob, krb5_data *krb5)
* ENOMEM memory allocation error
* EINVAL data blob is not a valid hex string encoding
*
- * @note Memory is allocated, with malloc and needs to be freed
+ * @note Memory is allocated with malloc and needs to be freed
*/
static krb5_error_code db_hex_str_to_krb5_data(
DATA_BLOB *blob,
@@ -1289,7 +1289,7 @@ static const DATA_BLOB X509_HEADER =
DATA_BLOB_STRING("X509:");
* EINVAL tag or value are invalid
* ENOMEM memory allocation error
*
- * @note Memory is allocated, with malloc and needs to be freed with
+ * @note Memory is allocated with malloc and needs to be freed with
* sdb_certificate_mapping_free
*/
static krb5_error_code populate_certificate_mapping(
@@ -1424,7 +1424,7 @@ static krb5_boolean is_strong_certificate_mapping(
* <S> Subject Name
* <SR> Serial Number
* <SKI> SKI Subject Key Identifier
- * <SHA1-PUBKEY> SHA1 checksum of the public key
+ * <SHA1-PUKEY> SHA1 checksum of the public key
* <RFC822> Email address
*
*
@@ -1463,16 +1463,16 @@ static krb5_error_code parse_certificate_mapping(
/*
* Ensure that there is data, and it starts with X509:
- * other wise ignore the entry and return ENOENT
+ * otherwise ignore the entry and return ENOENT
*/
if (data == NULL || length == 0) {
- DBG_DEBUG("altSecurityIdentities, is empty");
+ DBG_DEBUG("altSecurityIdentities is empty");
ret = ENOENT;
goto out;
}
if (length <= X509_HEADER.length ||
memcmp(X509_HEADER.data, data, X509_HEADER.length) != 0) {
- DBG_DEBUG("altSecurityIdentities, entry is not X509 ignoring");
+ DBG_DEBUG("altSecurityIdentities entry is not X509, ignoring");
ret = ENOENT;
goto out;
}
@@ -1531,7 +1531,7 @@ static krb5_error_code parse_certificate_mapping(
}
}
if (state != value_state) {
- DBG_WARNING("altSecurityIdentities, expected a value");
+ DBG_WARNING("altSecurityIdentities expected a value");
ret = EINVAL;
goto out;
}
@@ -1880,14 +1880,16 @@ static krb5_error_code
get_key_trust_public_keys(TALLOC_CTX *mem_ctx,
goto pub_keys_oom;
}
} else {
- pub_keys.keys = realloc_p(pub_keys.keys,
- struct sdb_pub_key,
- pub_keys.len + 1);
- if (pub_keys.keys == NULL) {
+ struct sdb_pub_key *keys = realloc_p(
+ pub_keys.keys,
+ struct sdb_pub_key,
+ pub_keys.len + 1);
+ if (keys == NULL) {
SAFE_FREE(pub_key.exponent.data);
SAFE_FREE(pub_key.modulus.data);
goto pub_keys_oom;
}
+ pub_keys.keys = keys;
}
pub_keys.keys[pub_keys.len] = pub_key;
pub_keys.len++;
@@ -1932,7 +1934,6 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
NTTIME acct_expiry;
NTSTATUS status;
bool protected_user = false;
- struct dom_sid sid;
uint32_t rid;
bool is_krbtgt = false;
bool is_rodc = false;
@@ -2159,11 +2160,11 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
/* The lack of password controls etc applies to krbtgt by
* virtue of being that particular RID */
- ret = samdb_result_dom_sid_buf(msg, "objectSid", &sid);
+ ret = samdb_result_dom_sid_buf(msg, "objectSid", &entry->sid);
if (ret) {
goto out;
}
- status = dom_sid_split_rid(NULL, &sid, NULL, &rid);
+ status = dom_sid_split_rid(NULL, &entry->sid, NULL, &rid);
if (!NT_STATUS_IS_OK(status)) {
ret = EINVAL;
goto out;
@@ -2641,12 +2642,6 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
*/
}
- p->msg = talloc_steal(p, msg);
--
Samba Shared Repository
