source4/kdc/kpasswdd.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    kpasswd Server implementation
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7    Copyright (C) Andrew Tridgell        2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "smbd/service_task.h"
  26 #include "lib/events/events.h"
  27 #include "lib/socket/socket.h"
  28 #include "kdc/kdc.h"
  29 #include "system/network.h"
  30 #include "lib/util/dlinklist.h"
  31 #include "lib/ldb/include/ldb.h"
  32 #include "heimdal/lib/krb5/krb5_locl.h"
  33 #include "heimdal/lib/krb5/krb5-private.h"
  34 #include "auth/auth.h"
  35 #include "dsdb/samdb/samdb.h"
  36 #include "rpc_server/dcerpc_server.h"
  37 #include "rpc_server/samr/proto.h"
  38 #include "libcli/security/security.h"
  39
  40 /* hold information about one kdc socket */
  41 struct kpasswd_socket {
  42         struct socket_context *sock;
  43         struct kdc_server *kdc;
  44         struct fd_event *fde;
  45
  46         /* a queue of outgoing replies that have been deferred */
  47         struct kdc_reply *send_queue;
  48 };
  49
  50 /* Return true if there is a valid error packet formed in the error_blob */
  51 static BOOL kpasswdd_make_error_reply(struct kdc_server *kdc,
  52                                      TALLOC_CTX *mem_ctx,
  53                                      uint16_t result_code,
  54                                      const char *error_string,
  55                                      DATA_BLOB *error_blob)
  56 {
  57         char *error_string_utf8;
  58         ssize_t len;
  59
  60         DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
  61
  62         len = push_utf8_talloc(mem_ctx, &error_string_utf8, error_string);
  63         if (len == -1) {
  64                 return False;
  65         }
  66
  67         *error_blob = data_blob_talloc(mem_ctx, NULL, 2 + len + 1);
  68         if (!error_blob->data) {
  69                 return False;
  70         }
  71         RSSVAL(error_blob->data, 0, result_code);
  72         memcpy(error_blob->data + 2, error_string_utf8, len + 1);
  73         return True;
  74 }
  75
  76 /* Return true if there is a valid error packet formed in the error_blob */
  77 static BOOL kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
  78                                             TALLOC_CTX *mem_ctx,
  79                                             uint16_t result_code,
  80                                             const char *error_string,
  81                                             DATA_BLOB *error_blob)
  82 {
  83         BOOL ret;
  84         int kret;
  85         DATA_BLOB error_bytes;
  86         krb5_data k5_error_bytes, k5_error_blob;
  87         ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
  88                                        &error_bytes);
  89         if (!ret) {
  90                 return False;
  91         }
  92         k5_error_bytes.data = error_bytes.data;
  93         k5_error_bytes.length = error_bytes.length;
  94         kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
  95                              result_code, NULL, &k5_error_bytes,
  96                              NULL, NULL, NULL, NULL, &k5_error_blob);
  97         if (kret) {
  98                 return False;
  99         }
 100         *error_blob = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
 101         krb5_data_free(&k5_error_blob);
 102         if (!error_blob->data) {
 103                 return False;
 104         }
 105         return True;
 106 }
 107
 108 static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
 109                                         TALLOC_CTX *mem_ctx,
 110                                         NTSTATUS status,
 111                                         enum samr_RejectReason reject_reason,
 112                                         struct samr_DomInfo1 *dominfo,
 113                                         DATA_BLOB *error_blob)
 114 {
 115         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
 116                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 117                                                 KRB5_KPASSWD_ACCESSDENIED,
 118                                                 "No such user when changing password",
 119                                                 error_blob);
 120         }
 121         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 122                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 123                                                 KRB5_KPASSWD_ACCESSDENIED,
 124                                                 "Not permitted to change password",
 125                                                 error_blob);
 126         }
 127         if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
 128                 const char *reject_string;
 129                 switch (reject_reason) {
 130                 case SAMR_REJECT_TOO_SHORT:
 131                         reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long",
 132                                                         dominfo->min_password_length);
 133                         break;
 134                 case SAMR_REJECT_COMPLEXITY:
 135                         reject_string = "Password does not meet complexity requirements";
 136                         break;
 137                 case SAMR_REJECT_IN_HISTORY:
 138                         reject_string = "Password is already in password history";
 139                         break;
 140                 case SAMR_REJECT_OTHER:
 141                 default:
 142                         reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",
 143                                                         dominfo->min_password_length, dominfo->password_history_length);
 144                         break;
 145                 }
 146                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 147                                                 KRB5_KPASSWD_SOFTERROR,
 148                                                 reject_string,
 149                                                 error_blob);
 150         }
 151         if (!NT_STATUS_IS_OK(status)) {
 152                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 153                                                  KRB5_KPASSWD_HARDERROR,
 154                                                  talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)),
 155                                                  error_blob);
 156
 157         }
 158         return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SUCCESS,
 159                                         "Password changed",
 160                                         error_blob);
 161 }
 162
 163 /*
 164    A user password change
 165
 166    Return true if there is a valid error packet (or sucess) formed in
 167    the error_blob
 168 */
 169 static BOOL kpasswdd_change_password(struct kdc_server *kdc,
 170                                      TALLOC_CTX *mem_ctx,
 171                                      struct auth_session_info *session_info,
 172                                      const char *password,
 173                                      DATA_BLOB *reply)
 174 {
 175         NTSTATUS status;
 176         enum samr_RejectReason reject_reason;
 177         struct samr_DomInfo1 *dominfo;
 178         struct ldb_context *samdb;
 179
 180         samdb = samdb_connect(mem_ctx, system_session(mem_ctx));
 181         if (!samdb) {
 182                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 183                                                 KRB5_KPASSWD_HARDERROR,
 184                                                 "Failed to open samdb",
 185                                                 reply);
 186         }
 187
 188         DEBUG(3, ("Changing password of %s\\%s (%s)\n",
 189                   session_info->server_info->domain_name,
 190                   session_info->server_info->account_name,
 191                   dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
 192
 193         /* User password change */
 194         status = samdb_set_password_sid(samdb, mem_ctx,
 195                                         session_info->security_token->user_sid,
 196                                         password, NULL, NULL,
 197                                         True, /* this is a user password change */
 198                                         True, /* run restriction tests */
 199                                         &reject_reason,
 200                                         &dominfo);
 201         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 202                                            status,
 203                                            reject_reason,
 204                                            dominfo,
 205                                            reply);
 206
 207 }
 208
 209 static BOOL kpasswd_process_request(struct kdc_server *kdc,
 210                                     TALLOC_CTX *mem_ctx,
 211                                     struct gensec_security *gensec_security,
 212                                     uint16_t version,
 213                                     DATA_BLOB *input,
 214                                     DATA_BLOB *reply)
 215 {
 216         struct auth_session_info *session_info;
 217         if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
 218                                                  &session_info))) {
 219                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 220                                                 KRB5_KPASSWD_HARDERROR,
 221                                                 "gensec_session_info failed!",
 222                                                 reply);
 223         }
 224
 225         switch (version) {
 226         case KRB5_KPASSWD_VERS_CHANGEPW:
 227         {
 228                 char *password = talloc_strndup(mem_ctx, (const char *)input->data, input->length);
 229                 if (!password) {
 230                         return False;
 231                 }
 232                 return kpasswdd_change_password(kdc, mem_ctx, session_info,
 233                                                 password, reply);
 234                 break;
 235         }
 236         case KRB5_KPASSWD_VERS_SETPW:
 237         {
 238                 NTSTATUS status;
 239                 enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER;
 240                 struct samr_DomInfo1 *dominfo = NULL;
 241                 struct ldb_context *samdb;
 242                 struct ldb_message *msg;
 243                 krb5_context context = kdc->smb_krb5_context->krb5_context;
 244
 245                 ChangePasswdDataMS chpw;
 246                 char *password;
 247
 248                 krb5_principal principal;
 249                 char *set_password_on_princ;
 250                 struct ldb_dn *set_password_on_dn;
 251
 252                 size_t len;
 253                 int ret;
 254
 255                 msg = ldb_msg_new(mem_ctx);
 256                 if (!msg) {
 257                         return False;
 258                 }
 259
 260                 ret = decode_ChangePasswdDataMS(input->data, input->length,
 261                                                 &chpw, &len);
 262                 if (ret) {
 263                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 264                                                         KRB5_KPASSWD_MALFORMED,
 265                                                         "failed to decode password change structure",
 266                                                         reply);
 267                 }
 268
 269                 password = talloc_strndup(mem_ctx, chpw.newpasswd.data,
 270                                           chpw.newpasswd.length);
 271                 if (!password) {
 272                         free_ChangePasswdDataMS(&chpw);
 273                         return False;
 274                 }
 275                 if ((chpw.targname && !chpw.targrealm)
 276                     || (!chpw.targname && chpw.targrealm)) {
 277                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 278                                                         KRB5_KPASSWD_MALFORMED,
 279                                                         "Realm and principal must be both present, or neither present",
 280                                                         reply);
 281                 }
 282                 if (chpw.targname && chpw.targrealm) {
 283                         if (_krb5_principalname2krb5_principal(&principal, *chpw.targname,
 284                                                                *chpw.targrealm) != 0) {
 285                                 free_ChangePasswdDataMS(&chpw);
 286                                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 287                                                                 KRB5_KPASSWD_MALFORMED,
 288                                                                 "failed to extract principal to set",
 289                                                                 reply);
 290
 291                         }
 292                 } else {
 293                         free_ChangePasswdDataMS(&chpw);
 294                         return kpasswdd_change_password(kdc, mem_ctx, session_info,
 295                                                         password, reply);
 296                 }
 297                 free_ChangePasswdDataMS(&chpw);
 298
 299                 if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
 300                         krb5_free_principal(context, principal);
 301                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 302                                                         KRB5_KPASSWD_MALFORMED,
 303                                                         "krb5_unparse_name failed!",
 304                                                         reply);
 305                 }
 306
 307                 krb5_free_principal(context, principal);
 308
 309                 samdb = samdb_connect(mem_ctx, session_info);
 310                 if (!samdb) {
 311                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 312                                                          KRB5_KPASSWD_HARDERROR,
 313                                                          "Unable to open database!",
 314                                                          reply);
 315                 }
 316
 317                 DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
 318                           session_info->server_info->domain_name,
 319                           session_info->server_info->account_name,
 320                           dom_sid_string(mem_ctx, session_info->security_token->user_sid),
 321                           set_password_on_princ));
 322                 ret = ldb_transaction_start(samdb);
 323                 if (ret) {
 324                         status = NT_STATUS_TRANSACTION_ABORTED;
 325                         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 326                                                            status,
 327                                                            SAMR_REJECT_OTHER,
 328                                                            NULL,
 329                                                            reply);
 330                 }
 331
 332                 status = crack_user_principal_name(samdb, mem_ctx,
 333                                                    set_password_on_princ,
 334                                                    &set_password_on_dn, NULL);
 335                 free(set_password_on_princ);
 336                 if (!NT_STATUS_IS_OK(status)) {
 337                         ldb_transaction_cancel(samdb);
 338                         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 339                                                            status,
 340                                                            SAMR_REJECT_OTHER,
 341                                                            NULL,
 342                                                            reply);
 343                 }
 344
 345                 msg = ldb_msg_new(mem_ctx);
 346                 if (msg == NULL) {
 347                         ldb_transaction_cancel(samdb);
 348                         status = NT_STATUS_NO_MEMORY;
 349                 } else {
 350                         msg->dn = ldb_dn_copy(msg, set_password_on_dn);
 351                         if (!msg->dn) {
 352                                 status = NT_STATUS_NO_MEMORY;
 353                         }
 354                 }
 355
 356                 if (NT_STATUS_IS_OK(status)) {
 357                         /* Admin password set */
 358                         status = samdb_set_password(samdb, mem_ctx,
 359                                                     set_password_on_dn, NULL,
 360                                                     msg, password, NULL, NULL,
 361                                                     False, /* this is not a user password change */
 362                                                     True, /* run restriction tests */
 363                                                     &reject_reason, &dominfo);
 364                 }
 365
 366                 if (NT_STATUS_IS_OK(status)) {
 367                         /* modify the samdb record */
 368                         ret = samdb_replace(samdb, mem_ctx, msg);
 369                         if (ret != 0) {
 370                                 DEBUG(2,("Failed to modify record to set password on %s: %s\n",
 371                                          ldb_dn_linearize(mem_ctx, msg->dn),
 372                                          ldb_errstring(samdb)));
 373                                 status = NT_STATUS_ACCESS_DENIED;
 374                         }
 375                 }
 376                 if (NT_STATUS_IS_OK(status)) {
 377                         ret = ldb_transaction_commit(samdb);
 378                         if (ret != 0) {
 379                                 DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
 380                                          ldb_dn_linearize(mem_ctx, msg->dn),
 381                                          ldb_errstring(samdb)));
 382                                 status = NT_STATUS_TRANSACTION_ABORTED;
 383                         }
 384                 } else {
 385                         ldb_transaction_cancel(samdb);
 386                 }
 387                 return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 388                                                    status,
 389                                                    reject_reason,
 390                                                    dominfo,
 391                                                    reply);
 392         }
 393         default:
 394                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 395                                                  KRB5_KPASSWD_BAD_VERSION,
 396                                                  talloc_asprintf(mem_ctx,
 397                                                                  "Protocol version %u not supported",
 398                                                                  version),
 399                                                  reply);
 400         }
 401         return True;
 402 }
 403
 404 BOOL kpasswdd_process(struct kdc_server *kdc,
 405                       TALLOC_CTX *mem_ctx,
 406                       DATA_BLOB *input,
 407                       DATA_BLOB *reply,
 408                       struct socket_address *peer_addr,
 409                       struct socket_address *my_addr)
 410 {
 411         BOOL ret;
 412         const uint16_t header_len = 6;
 413         uint16_t len;
 414         uint16_t ap_req_len;
 415         uint16_t krb_priv_len;
 416         uint16_t version;
 417         NTSTATUS nt_status;
 418         DATA_BLOB ap_req, krb_priv_req;
 419         DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
 420         DATA_BLOB ap_rep = data_blob(NULL, 0);
 421         DATA_BLOB kpasswd_req, kpasswd_rep;
 422         struct cli_credentials *server_credentials;
 423         struct gensec_security *gensec_security;
 424         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 425
 426         if (!tmp_ctx) {
 427                 return False;
 428         }
 429
 430         /* Be parinoid.  We need to ensure we don't just let the
 431          * caller lead us into a buffer overflow */
 432         if (input->length <= header_len) {
 433                 talloc_free(tmp_ctx);
 434                 return False;
 435         }
 436
 437         len = RSVAL(input->data, 0);
 438         if (input->length != len) {
 439                 talloc_free(tmp_ctx);
 440                 return False;
 441         }
 442
 443         /* There are two different versions of this protocol so far,
 444          * plus others in the standards pipe.  Fortunetly they all
 445          * take a very similar framing */
 446         version = RSVAL(input->data, 2);
 447         ap_req_len = RSVAL(input->data, 4);
 448         if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
 449                 talloc_free(tmp_ctx);
 450                 return False;
 451         }
 452
 453         krb_priv_len = len - ap_req_len;
 454         ap_req = data_blob_const(&input->data[header_len], ap_req_len);
 455         krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
 456
 457         nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, kdc->task->msg_ctx, &gensec_security);
 458         if (!NT_STATUS_IS_OK(nt_status)) {
 459                 talloc_free(tmp_ctx);
 460                 return False;
 461         }
 462
 463         server_credentials = cli_credentials_init(tmp_ctx);
 464         if (!server_credentials) {
 465                 DEBUG(1, ("Failed to init server credentials\n"));
 466                 return False;
 467         }
 468
 469         /* We want the credentials subsystem to use the krb5 context
 470          * we already have, rather than a new context */
 471         cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
 472         cli_credentials_set_conf(server_credentials);
 473         nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
 474         if (!NT_STATUS_IS_OK(nt_status)) {
 475                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 476                                                        KRB5_KPASSWD_HARDERROR,
 477                                                        talloc_asprintf(mem_ctx,
 478                                                                        "Failed to obtain server credentials for kadmin/changepw: %s\n",
 479                                                                        nt_errstr(nt_status)),
 480                                                        &krb_priv_rep);
 481                 ap_rep.length = 0;
 482                 if (ret) {
 483                         goto reply;
 484                 }
 485                 talloc_free(tmp_ctx);
 486                 return ret;
 487         }
 488
 489         nt_status = gensec_set_credentials(gensec_security, server_credentials);
 490         if (!NT_STATUS_IS_OK(nt_status)) {
 491                 talloc_free(tmp_ctx);
 492                 return False;
 493         }
 494
 495         /* The kerberos PRIV packets include these addresses.  MIT
 496          * clients check that they are present */
 497         nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
 498         if (!NT_STATUS_IS_OK(nt_status)) {
 499                 talloc_free(tmp_ctx);
 500                 return False;
 501         }
 502         nt_status = gensec_set_my_addr(gensec_security, my_addr);
 503         if (!NT_STATUS_IS_OK(nt_status)) {
 504                 talloc_free(tmp_ctx);
 505                 return False;
 506         }
 507
 508         /* We want the GENSEC wrap calls to generate PRIV tokens */
 509         gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
 510
 511         nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
 512         if (!NT_STATUS_IS_OK(nt_status)) {
 513                 talloc_free(tmp_ctx);
 514                 return False;
 515         }
 516
 517         /* Accept the AP-REQ and generate teh AP-REP we need for the reply */
 518         nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
 519         if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 520
 521                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 522                                                        KRB5_KPASSWD_HARDERROR,
 523                                                        talloc_asprintf(mem_ctx,
 524                                                                        "gensec_update failed: %s",
 525                                                                        nt_errstr(nt_status)),
 526                                                        &krb_priv_rep);
 527                 ap_rep.length = 0;
 528                 if (ret) {
 529                         goto reply;
 530                 }
 531                 talloc_free(tmp_ctx);
 532                 return ret;
 533         }
 534
 535         /* Extract the data from the KRB-PRIV half of the message */
 536         nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
 537         if (!NT_STATUS_IS_OK(nt_status)) {
 538                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 539                                                        KRB5_KPASSWD_HARDERROR,
 540                                                        talloc_asprintf(mem_ctx,
 541                                                                        "gensec_unwrap failed: %s",
 542                                                                        nt_errstr(nt_status)),
 543                                                        &krb_priv_rep);
 544                 ap_rep.length = 0;
 545                 if (ret) {
 546                         goto reply;
 547                 }
 548                 talloc_free(tmp_ctx);
 549                 return ret;
 550         }
 551
 552         /* Figure out something to do with it (probably changing a password...) */
 553         ret = kpasswd_process_request(kdc, tmp_ctx,
 554                                       gensec_security,
 555                                       version,
 556                                       &kpasswd_req, &kpasswd_rep);
 557         if (!ret) {
 558                 /* Argh! */
 559                 return False;
 560         }
 561
 562         /* And wrap up the reply: This ensures that the error message
 563          * or success can be verified by the client */
 564         nt_status = gensec_wrap(gensec_security, tmp_ctx,
 565                                 &kpasswd_rep, &krb_priv_rep);
 566         if (!NT_STATUS_IS_OK(nt_status)) {
 567                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 568                                                        KRB5_KPASSWD_HARDERROR,
 569                                                        talloc_asprintf(mem_ctx,
 570                                                                        "gensec_wrap failed: %s",
 571                                                                        nt_errstr(nt_status)),
 572                                                        &krb_priv_rep);
 573                 ap_rep.length = 0;
 574                 if (ret) {
 575                         goto reply;
 576                 }
 577                 talloc_free(tmp_ctx);
 578                 return ret;
 579         }
 580
 581 reply:
 582         *reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
 583         if (!reply->data) {
 584                 return False;
 585         }
 586
 587         RSSVAL(reply->data, 0, reply->length);
 588         RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */
 589         RSSVAL(reply->data, 4, ap_rep.length);
 590         memcpy(reply->data + header_len,
 591                ap_rep.data,
 592                ap_rep.length);
 593         memcpy(reply->data + header_len + ap_rep.length,
 594                krb_priv_rep.data,
 595                krb_priv_rep.length);
 596
 597         talloc_free(tmp_ctx);
 598         return ret;
 599 }
 600