const char *lpcfg_sam_name(struct loadparm_context *lp_ctx);
const char *lpcfg_sam_dnsname(struct loadparm_context *lp_ctx);
-void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
+void lpcfg_default_kdc_policy(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
time_t *svc_tkt_lifetime,
time_t *usr_tkt_lifetime,
time_t *renewal_lifetime);
#include "system/dir.h"
#include "param/param.h"
#include "libds/common/roles.h"
+#include "tdb.h"
/**
* @file
}
}
-void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
+static long tdb_fetch_lifetime(TALLOC_CTX *mem_ctx, struct tdb_context *tdb, const char *keystr)
+{
+ TDB_DATA key;
+ TDB_DATA ret;
+ char *tmp = NULL;
+ long result;
+
+ key.dptr = discard_const_p(unsigned char, keystr);
+ key.dsize = strlen(keystr);
+
+ if (!key.dptr)
+ return -1;
+
+ ret = tdb_fetch(tdb, key);
+ if (ret.dsize == 0)
+ return -1;
+
+ tmp = talloc_realloc(mem_ctx, tmp, char, ret.dsize+1);
+ memset(tmp, 0, ret.dsize+1);
+ memcpy(tmp, ret.dptr, ret.dsize);
+ free(ret.dptr);
+
+ result = atol(tmp);
+ talloc_free(tmp);
+ return result;
+}
+
+void lpcfg_default_kdc_policy(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
time_t *svc_tkt_lifetime,
time_t *usr_tkt_lifetime,
time_t *renewal_lifetime)
{
long val;
+ TDB_CONTEXT *ctx = NULL;
+ const char *kdc_tdb = NULL;
+
+ kdc_tdb = lpcfg_cache_path(mem_ctx, lp_ctx, "gpo.tdb");
+ if (kdc_tdb)
+ ctx = tdb_open(kdc_tdb, 0, TDB_DEFAULT, O_RDWR, 0600);
- val = lpcfg_parm_long(lp_ctx, NULL,
- "kdc", "service ticket lifetime", 10);
+ if (!ctx || ( val = tdb_fetch_lifetime(mem_ctx, ctx, "kdc:service_ticket_lifetime") ) == -1 )
+ val = lpcfg_parm_long(lp_ctx, NULL, "kdc", "service ticket lifetime", 10);
*svc_tkt_lifetime = val * 60 * 60;
- val = lpcfg_parm_long(lp_ctx, NULL,
- "kdc", "user ticket lifetime", 10);
+ if (!ctx || ( val = tdb_fetch_lifetime(mem_ctx, ctx, "kdc:user_ticket_lifetime") ) == -1 )
+ val = lpcfg_parm_long(lp_ctx, NULL, "kdc", "user ticket lifetime", 10);
*usr_tkt_lifetime = val * 60 * 60;
- val = lpcfg_parm_long(lp_ctx, NULL,
- "kdc", "renewal lifetime", 24 * 7);
+ if (!ctx || ( val = tdb_fetch_lifetime(mem_ctx, ctx, "kdc:renewal_lifetime") ) == -1 )
+ val = lpcfg_parm_long(lp_ctx, NULL, "kdc", "renewal lifetime", 24 * 7);
*renewal_lifetime = val * 60 * 60;
}
def __str__(self):
pass
+class inf_to_kdc_tdb(inf_to):
+ def mins_to_hours(self):
+ return '%d' % (int(self.val)/60)
+
+ def days_to_hours(self):
+ return '%d' % (int(self.val)*24)
+
+ def set_kdc_tdb(self, val):
+ old_val = self.gp_db.gpostore.get(self.attribute)
+ self.logger.info('%s was changed from %s to %s' % (self.attribute, old_val, val))
+ if val is not None:
+ self.gp_db.gpostore.store(self.attribute, val)
+ self.gp_db.store(str(self), self.attribute, old_val)
+ else:
+ self.gp_db.gpostore.delete(self.attribute)
+ self.gp_db.delete(str(self), self.attribute)
+
+ def mapper(self):
+ return { 'kdc:user_ticket_lifetime': (self.set_kdc_tdb, self.explicit),
+ 'kdc:service_ticket_lifetime': (self.set_kdc_tdb, self.mins_to_hours),
+ 'kdc:renewal_lifetime': (self.set_kdc_tdb, self.days_to_hours),
+ }
+
+ def __str__(self):
+ return 'Kerberos Policy'
+
class inf_to_ldb(inf_to):
'''This class takes the .inf file parameter (essentially a GPO file mapped to a GUID),
hashmaps it to the Samba parameter, which then uses an ldb object to update the
"MaximumPasswordAge": ("maxPwdAge", inf_to_ldb),
"MinimumPasswordLength": ("minPwdLength", inf_to_ldb),
"PasswordComplexity": ("pwdProperties", inf_to_ldb),
- }
+ },
+ "Kerberos Policy": {"MaxTicketAge": ("kdc:user_ticket_lifetime", inf_to_kdc_tdb),
+ "MaxServiceAge": ("kdc:service_ticket_lifetime", inf_to_kdc_tdb),
+ "MaxRenewAge": ("kdc:renewal_lifetime", inf_to_kdc_tdb),
+ }
}
def read_inf(self, path, conn):
kdc_db_ctx->msg_ctx = base_ctx->msg_ctx;
/* get default kdc policy */
- lpcfg_default_kdc_policy(base_ctx->lp_ctx,
+ lpcfg_default_kdc_policy(mem_ctx,
+ base_ctx->lp_ctx,
&kdc_db_ctx->policy.svc_tkt_lifetime,
&kdc_db_ctx->policy.usr_tkt_lifetime,
&kdc_db_ctx->policy.renewal_lifetime);
DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
}
-static void kdc_get_policy(struct loadparm_context *lp_ctx,
+static void kdc_get_policy(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
struct smb_krb5_context *smb_krb5_context,
struct lsa_DomainInfoKerberos *k)
{
time_t usr_tkt_lifetime;
time_t renewal_lifetime;
- /* These should be set and stored via Group Policy, but until then, some defaults are in order */
-
/* Our KDC always re-validates the client */
k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
- lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime,
+ lpcfg_default_kdc_policy(mem_ctx, lp_ctx, &svc_tkt_lifetime,
&usr_tkt_lifetime, &renewal_lifetime);
unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
*r->out.info = NULL;
return NT_STATUS_INTERNAL_ERROR;
}
- kdc_get_policy(dce_call->conn->dce_ctx->lp_ctx,
+ kdc_get_policy(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
smb_krb5_context,
k);
talloc_free(smb_krb5_context);