auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine...
[samba.git] / source4 / kdc / hdb-samba4.c
index 313f419a83991311b897b2e597251107de72e544..32c6d2f8c2210c3dd6b2122fb450c17bcce3adf8 100644 (file)
  */
 
 #include "includes.h"
-#include "auth/auth.h"
-#include "auth/credentials/credentials.h"
-#include "dsdb/samdb/samdb.h"
-#include "param/param.h"
 #include "kdc/kdc-glue.h"
 #include "kdc/db-glue.h"
+#include "kdc/pac-glue.h"
+#include "auth/auth_sam.h"
+#include "auth/common_auth.h"
+#include "auth/authn_policy.h"
+#include <ldb.h>
+#include "sdb.h"
+#include "sdb_hdb.h"
+#include "dsdb/samdb/samdb.h"
+#include "param/param.h"
+#include "../lib/tsocket/tsocket.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/messaging/irpc.h"
+#include "hdb.h"
+#include <kdc-audit.h>
+#include <kdc-plugin.h>
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
 
 static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
 {
@@ -72,50 +86,211 @@ static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const ch
        return HDB_ERR_DB_INUSE;
 }
 
-static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
+static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
 {
        return HDB_ERR_DB_INUSE;
 }
 
-static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal)
+/*
+ * If we ever want kadmin to work fast, we might try and reopen the
+ * ldb with LDB_NOSYNC
+ */
+static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync)
 {
-       return HDB_ERR_DB_INUSE;
+       return 0;
+}
+
+static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db, hdb_entry *entry)
+{
+       /*
+        * This function is now called for every HDB entry, not just those with
+        * 'context' set, so we have to check that the context is not NULL.
+       */
+       if (entry->context != NULL) {
+               struct samba_kdc_entry *skdc_entry =
+                       talloc_get_type_abort(entry->context,
+                       struct samba_kdc_entry);
+
+               /* this function is called only from hdb_free_entry().
+                * Make sure we neutralize the destructor or we will
+                * get a double free later when hdb_free_entry() will
+                * try to call free_hdb_entry() */
+               entry->context = NULL;
+               skdc_entry->kdc_entry = NULL;
+               TALLOC_FREE(skdc_entry);
+       }
+}
+
+static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
+                                                   struct samba_kdc_db_context *kdc_db_ctx,
+                                                   hdb_entry *entry)
+{
+       DBG_ERR("Looked up HDB entry for unsupported FX-COOKIE.\n");
+       return HDB_ERR_NOENTRY;
 }
 
 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
                                             krb5_const_principal principal,
                                             unsigned flags,
                                             krb5_kvno kvno,
-                                            hdb_entry_ex *entry_ex)
+                                            hdb_entry *entry)
 {
        struct samba_kdc_db_context *kdc_db_ctx;
+       struct sdb_entry sentry = {};
+       krb5_error_code code, ret;
+       uint32_t sflags;
+
+       kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+                                          struct samba_kdc_db_context);
+
+       if (flags & HDB_F_GET_FAST_COOKIE) {
+               return hdb_samba4_fetch_fast_cookie(context,
+                                                   kdc_db_ctx,
+                                                   entry);
+       }
+
+       sflags = (flags & SDB_F_HDB_MASK);
+
+       ret = samba_kdc_fetch(context,
+                             kdc_db_ctx,
+                             principal,
+                             sflags,
+                             kvno,
+                             &sentry);
+       switch (ret) {
+       case 0:
+               code = 0;
+               break;
+       case SDB_ERR_WRONG_REALM:
+               /*
+                * If SDB_ERR_WRONG_REALM is returned we need to process the
+                * sdb_entry to fill the principal in the HDB entry.
+                */
+               code = HDB_ERR_WRONG_REALM;
+               break;
+       case SDB_ERR_NOENTRY:
+               return HDB_ERR_NOENTRY;
+       case SDB_ERR_NOT_FOUND_HERE:
+               return HDB_ERR_NOT_FOUND_HERE;
+       default:
+               return ret;
+       }
+
+       ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
+       sdb_entry_free(&sentry);
+
+       if (code == 0) {
+               code = ret;
+       }
+
+       return code;
+}
+
+static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db,
+                                                    krb5_const_principal _principal,
+                                                    unsigned flags,
+                                                    krb5_kvno _kvno,
+                                                    hdb_entry *entry)
+{
+       struct samba_kdc_db_context *kdc_db_ctx = NULL;
+       krb5_error_code ret;
+       krb5_principal kpasswd_principal = NULL;
 
        kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
                                           struct samba_kdc_db_context);
 
-       return samba_kdc_fetch(context, kdc_db_ctx, principal, flags, kvno, entry_ex);
+       ret = smb_krb5_make_principal(context, &kpasswd_principal,
+                                     lpcfg_realm(kdc_db_ctx->lp_ctx),
+                                     "kadmin", "changepw",
+                                     NULL);
+       if (ret) {
+               return ret;
+       }
+       smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST);
+
+       /*
+        * For the kpasswd service, always ensure we get the latest kvno. This
+        * also means we (correctly) refuse RODC-issued tickets.
+        */
+       flags &= ~HDB_F_KVNO_SPECIFIED;
+
+       /* Don't bother looking up a client or krbtgt. */
+       flags &= ~(HDB_F_GET_CLIENT|HDB_F_GET_KRBTGT);
+
+       ret = hdb_samba4_fetch_kvno(context, db,
+                                   kpasswd_principal,
+                                   flags,
+                                   0,
+                                   entry);
+
+       krb5_free_principal(context, kpasswd_principal);
+       return ret;
 }
 
 static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
-                                       hdb_entry_ex *entry)
+                                       hdb_entry *entry)
 {
        struct samba_kdc_db_context *kdc_db_ctx;
+       struct sdb_entry sentry = {};
+       krb5_error_code ret;
 
        kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
                                           struct samba_kdc_db_context);
 
-       return samba_kdc_firstkey(context, kdc_db_ctx, entry);
+       ret = samba_kdc_firstkey(context, kdc_db_ctx, SDB_F_ADMIN_DATA, &sentry);
+       switch (ret) {
+       case 0:
+               break;
+       case SDB_ERR_WRONG_REALM:
+               return HDB_ERR_WRONG_REALM;
+       case SDB_ERR_NOENTRY:
+               return HDB_ERR_NOENTRY;
+       case SDB_ERR_NOT_FOUND_HERE:
+               return HDB_ERR_NOT_FOUND_HERE;
+       default:
+               return ret;
+       }
+
+       ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
+       sdb_entry_free(&sentry);
+       return ret;
 }
 
 static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
-                                  hdb_entry_ex *entry)
+                                  hdb_entry *entry)
 {
        struct samba_kdc_db_context *kdc_db_ctx;
+       struct sdb_entry sentry = {};
+       krb5_error_code ret;
 
        kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
                                           struct samba_kdc_db_context);
 
-       return samba_kdc_nextkey(context, kdc_db_ctx, entry);
+       ret = samba_kdc_nextkey(context, kdc_db_ctx, SDB_F_ADMIN_DATA, &sentry);
+       switch (ret) {
+       case 0:
+               break;
+       case SDB_ERR_WRONG_REALM:
+               return HDB_ERR_WRONG_REALM;
+       case SDB_ERR_NOENTRY:
+               return HDB_ERR_NOENTRY;
+       case SDB_ERR_NOT_FOUND_HERE:
+               return HDB_ERR_NOT_FOUND_HERE;
+       default:
+               return ret;
+       }
+
+       ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
+       sdb_entry_free(&sentry);
+       return ret;
+}
+
+static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db,
+                                               unsigned flags,
+                                               hdb_entry *entry)
+{
+       DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n");
+       smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab");
 }
 
 static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
@@ -125,33 +300,892 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
 }
 
 static krb5_error_code
-hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db,
-                                       hdb_entry_ex *entry,
+hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
+                                       hdb_entry *entry,
                                        krb5_const_principal target_principal)
 {
-       struct samba_kdc_db_context *kdc_db_ctx;
+       struct samba_kdc_db_context *kdc_db_ctx = NULL;
+       struct samba_kdc_entry *skdc_entry = NULL;
 
        kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
                                           struct samba_kdc_db_context);
+       skdc_entry = talloc_get_type_abort(entry->context,
+                                          struct samba_kdc_entry);
+
+       return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
+                                        skdc_entry,
+                                        target_principal);
+}
+
+static krb5_error_code
+hdb_samba4_check_rbcd(krb5_context context, HDB *db,
+                     const hdb_entry *client_krbtgt,
+                     const hdb_entry *client,
+                     const hdb_entry *device_krbtgt,
+                     const hdb_entry *device,
+                     krb5_const_principal server_principal,
+                     krb5_const_pac header_pac,
+                     krb5_const_pac device_pac,
+                     const hdb_entry *proxy)
+{
+       struct samba_kdc_db_context *kdc_db_ctx = NULL;
+       struct samba_kdc_entry *client_skdc_entry = NULL;
+       const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL;
+       struct samba_kdc_entry *proxy_skdc_entry = NULL;
+       const struct auth_user_info_dc *client_info = NULL;
+       const struct auth_user_info_dc *device_info = NULL;
+       struct samba_kdc_entry_pac client_pac_entry = {};
+       struct auth_claims auth_claims = {};
+       TALLOC_CTX *mem_ctx = NULL;
+       krb5_error_code code;
+
+       kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+                                          struct samba_kdc_db_context);
+       client_skdc_entry = talloc_get_type_abort(client->context,
+                                                 struct samba_kdc_entry);
+       client_krbtgt_skdc_entry = talloc_get_type_abort(client_krbtgt->context,
+                                                        struct samba_kdc_entry);
+       proxy_skdc_entry = talloc_get_type_abort(proxy->context,
+                                                struct samba_kdc_entry);
+
+       mem_ctx = talloc_new(kdc_db_ctx);
+       if (mem_ctx == NULL) {
+               return ENOMEM;
+       }
+
+       client_pac_entry = samba_kdc_entry_pac(header_pac,
+                                              client_skdc_entry,
+                                              samba_kdc_entry_is_trust(client_krbtgt_skdc_entry));
+
+       code = samba_kdc_get_user_info_dc(mem_ctx,
+                                         context,
+                                         kdc_db_ctx->samdb,
+                                         client_pac_entry,
+                                         &client_info,
+                                         NULL /* resource_groups_out */);
+       if (code != 0) {
+               goto out;
+       }
 
-       return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx,
-                                                          entry,
-                                                          target_principal);
+       code = samba_kdc_get_claims_data(mem_ctx,
+                                        context,
+                                        kdc_db_ctx->samdb,
+                                        client_pac_entry,
+                                        &auth_claims.user_claims);
+       if (code) {
+               goto out;
+       }
+
+       if (device != NULL) {
+               struct samba_kdc_entry *device_skdc_entry = NULL;
+               const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
+               struct samba_kdc_entry_pac device_pac_entry = {};
+
+               device_skdc_entry = talloc_get_type_abort(device->context,
+                                                         struct samba_kdc_entry);
+
+               if (device_krbtgt != NULL) {
+                       device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
+                                                                        struct samba_kdc_entry);
+               }
+
+               device_pac_entry = samba_kdc_entry_pac(device_pac,
+                                                      device_skdc_entry,
+                                                      samba_kdc_entry_is_trust(device_krbtgt_skdc_entry));
+
+               code = samba_kdc_get_user_info_dc(mem_ctx,
+                                                 context,
+                                                 kdc_db_ctx->samdb,
+                                                 device_pac_entry,
+                                                 &device_info,
+                                                 NULL /* resource_groups_out */);
+               if (code) {
+                       goto out;
+               }
+
+               code = samba_kdc_get_claims_data(mem_ctx,
+                                                context,
+                                                kdc_db_ctx->samdb,
+                                                device_pac_entry,
+                                                &auth_claims.device_claims);
+               if (code) {
+                       goto out;
+               }
+       }
+
+       code = samba_kdc_check_s4u2proxy_rbcd(context,
+                                             kdc_db_ctx,
+                                             client->principal,
+                                             server_principal,
+                                             client_info,
+                                             device_info,
+                                             auth_claims,
+                                             proxy_skdc_entry);
+out:
+       talloc_free(mem_ctx);
+       return code;
 }
 
 static krb5_error_code
 hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
-                                    hdb_entry_ex *entry,
+                                    hdb_entry *entry,
                                     krb5_const_principal certificate_principal)
 {
        struct samba_kdc_db_context *kdc_db_ctx;
+       struct samba_kdc_entry *skdc_entry;
+       krb5_error_code ret;
 
        kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
                                           struct samba_kdc_db_context);
+       skdc_entry = talloc_get_type_abort(entry->context,
+                                          struct samba_kdc_entry);
+
+       ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
+                                                 skdc_entry,
+                                                 certificate_principal);
+       switch (ret) {
+       case 0:
+               break;
+       case SDB_ERR_WRONG_REALM:
+               ret = HDB_ERR_WRONG_REALM;
+               break;
+       case SDB_ERR_NOENTRY:
+               ret = HDB_ERR_NOENTRY;
+               break;
+       case SDB_ERR_NOT_FOUND_HERE:
+               ret = HDB_ERR_NOT_FOUND_HERE;
+               break;
+       default:
+               break;
+       }
+
+       return ret;
+}
+
+static krb5_error_code
+hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
+                         hdb_entry *client_entry,
+                         hdb_entry *server_target_entry)
+{
+       struct samba_kdc_entry *skdc_client_entry
+               = talloc_get_type_abort(client_entry->context,
+                                       struct samba_kdc_entry);
+       struct samba_kdc_entry *skdc_server_target_entry
+               = talloc_get_type_abort(server_target_entry->context,
+                                       struct samba_kdc_entry);
+
+       return samba_kdc_check_client_matches_target_service(context,
+                                                            skdc_client_entry,
+                                                            skdc_server_target_entry);
+}
+
+static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
+                                       struct samba_kdc_db_context *kdc_db_ctx,
+                                       struct netr_SendToSamBase *send_to_sam)
+{
+       struct dcerpc_binding_handle *irpc_handle;
+       struct winbind_SendToSam req;
+       struct tevent_req *subreq = NULL;
+
+       irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
+                                                 "winbind_server",
+                                                 &ndr_table_winbind);
+
+       if (irpc_handle == NULL) {
+               DBG_ERR("No winbind_server running!\n");
+               return;
+       }
+
+       req.in.message = *send_to_sam;
+
+       /*
+        * This seem to rely on the current IRPC implementation,
+        * which delivers the message in the _send function.
+        *
+        * TODO: we need a ONE_WAY IRPC handle and register
+        * a callback and wait for it to be triggered!
+        */
+       subreq = dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
+                                                irpc_handle, &req);
+
+       /* we aren't interested in a reply */
+       TALLOC_FREE(subreq);
+}
+
+#define SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ "samba:authn_audit_info_obj"
+#define SAMBA_HDB_CLIENT_AUDIT_INFO "samba:client_audit_info"
+#define SAMBA_HDB_SERVER_AUDIT_INFO "samba:server_audit_info"
+
+#define SAMBA_HDB_NT_STATUS_OBJ "samba:nt_status_obj"
+#define SAMBA_HDB_NT_STATUS "samba:nt_status"
+
+struct hdb_audit_info_obj {
+       struct authn_audit_info *audit_info;
+};
+
+static void hdb_audit_info_obj_dealloc(void *ptr)
+{
+       struct hdb_audit_info_obj *audit_info_obj = ptr;
+
+       if (audit_info_obj == NULL) {
+               return;
+       }
+
+       TALLOC_FREE(audit_info_obj->audit_info);
+}
+
+/*
+ * Set talloc-allocated auditing information of the KDC request. On success,
+ * ‘audit_info’ is invalidated and may no longer be used by the caller.
+ */
+static krb5_error_code hdb_samba4_set_steal_audit_info(astgs_request_t r,
+                                                      const char *key,
+                                                      struct authn_audit_info *audit_info)
+{
+       struct hdb_audit_info_obj *audit_info_obj = NULL;
+
+       audit_info_obj = kdc_object_alloc(sizeof (*audit_info_obj),
+                                         SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ,
+                                         hdb_audit_info_obj_dealloc);
+       if (audit_info_obj == NULL) {
+               return ENOMEM;
+       }
+
+       /*
+        * Steal a handle to the audit information onto the NULL context —
+        * Heimdal will be responsible for the deallocation of the object.
+        */
+       audit_info_obj->audit_info = talloc_steal(NULL, audit_info);
+
+       heim_audit_setkv_object((heim_svc_req_desc)r, key, audit_info_obj);
+       heim_release(audit_info_obj);
+
+       return 0;
+}
+
+/*
+ * Set talloc-allocated client auditing information of the KDC request. On
+ * success, ‘client_audit_info’ is invalidated and may no longer be used by the
+ * caller.
+ */
+krb5_error_code hdb_samba4_set_steal_client_audit_info(astgs_request_t r,
+                                                      struct authn_audit_info *client_audit_info)
+{
+       return hdb_samba4_set_steal_audit_info(r,
+                                              SAMBA_HDB_CLIENT_AUDIT_INFO,
+                                              client_audit_info);
+}
+
+static const struct authn_audit_info *hdb_samba4_get_client_audit_info(hdb_request_t r)
+{
+       const struct hdb_audit_info_obj *audit_info_obj = NULL;
+
+       audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_CLIENT_AUDIT_INFO);
+       if (audit_info_obj == NULL) {
+               return NULL;
+       }
+
+       return audit_info_obj->audit_info;
+}
+
+/*
+ * Set talloc-allocated server auditing information of the KDC request. On
+ * success, ‘server_audit_info’ is invalidated and may no longer be used by the
+ * caller.
+ */
+krb5_error_code hdb_samba4_set_steal_server_audit_info(astgs_request_t r,
+                                                      struct authn_audit_info *server_audit_info)
+{
+       return hdb_samba4_set_steal_audit_info(r,
+                                              SAMBA_HDB_SERVER_AUDIT_INFO,
+                                              server_audit_info);
+}
+
+static const struct authn_audit_info *hdb_samba4_get_server_audit_info(hdb_request_t r)
+{
+       const struct hdb_audit_info_obj *audit_info_obj = NULL;
+
+       audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_SERVER_AUDIT_INFO);
+       if (audit_info_obj == NULL) {
+               return NULL;
+       }
+
+       return audit_info_obj->audit_info;
+}
+
+struct hdb_ntstatus_obj {
+       NTSTATUS status;
+       krb5_error_code current_error;
+};
+
+/*
+ * Add an NTSTATUS code to a Kerberos request. ‘error’ is the error value we
+ * want to return to the client. When it comes time to generating the error
+ * request, we shall compare this error value to whatever error we are about to
+ * return; if the two match, we shall replace the ‘e-data’ field in the reply
+ * with the NTSTATUS code.
+ */
+krb5_error_code hdb_samba4_set_ntstatus(astgs_request_t r,
+                                       const NTSTATUS status,
+                                       const krb5_error_code error)
+{
+       struct hdb_ntstatus_obj *status_obj = NULL;
+
+       status_obj = kdc_object_alloc(sizeof (*status_obj),
+                                     SAMBA_HDB_NT_STATUS_OBJ,
+                                     NULL);
+       if (status_obj == NULL) {
+               return ENOMEM;
+       }
+
+       *status_obj = (struct hdb_ntstatus_obj) {
+               .status = status,
+               .current_error = error,
+       };
+
+       heim_audit_setkv_object((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS, status_obj);
+       heim_release(status_obj);
+
+       return 0;
+}
+
+static krb5_error_code hdb_samba4_make_nt_status_edata(const NTSTATUS status,
+                                                      const uint32_t flags,
+                                                      krb5_data *edata_out)
+{
+    const uint32_t status_code = NT_STATUS_V(status);
+    const uint32_t zero = 0;
+    KERB_ERROR_DATA error_data;
+    krb5_data e_data;
+
+    krb5_error_code ret;
+    size_t size;
+
+    /* The raw KERB-ERR-TYPE-EXTENDED structure. */
+    uint8_t data[12];
+
+    PUSH_LE_U32(data, 0, status_code);
+    PUSH_LE_U32(data, 4, zero);
+    PUSH_LE_U32(data, 8, flags);
+
+    e_data = (krb5_data) {
+           .data = &data,
+           .length = sizeof(data),
+    };
+
+    error_data = (KERB_ERROR_DATA) {
+           .data_type = kERB_ERR_TYPE_EXTENDED,
+           .data_value = &e_data,
+    };
+
+    ASN1_MALLOC_ENCODE(KERB_ERROR_DATA,
+                      edata_out->data, edata_out->length,
+                      &error_data,
+                      &size, ret);
+    if (ret) {
+           return ret;
+    }
+    if (size != edata_out->length) {
+           /* Internal ASN.1 encoder error */
+           krb5_data_free(edata_out);
+           return KRB5KRB_ERR_GENERIC;
+    }
+
+    return 0;
+}
+
+static krb5_error_code hdb_samba4_set_edata_from_ntstatus(hdb_request_t r, const NTSTATUS status)
+{
+       const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
+       krb5_error_code ret = 0;
+       krb5_data e_data;
+       uint32_t flags = 1;
+
+       if (req->msg_type == krb_tgs_req) {
+               /* This flag is used to indicate a TGS-REQ. */
+               flags |= 2;
+       }
+
+       ret = hdb_samba4_make_nt_status_edata(status, flags, &e_data);
+       if (ret) {
+               return ret;
+       }
+
+       ret = kdc_request_set_e_data((astgs_request_t)r, e_data);
+       if (ret) {
+               krb5_data_free(&e_data);
+       }
+
+       return ret;
+}
+
+static NTSTATUS hdb_samba4_get_ntstatus(hdb_request_t r)
+{
+       struct hdb_ntstatus_obj *status_obj = NULL;
+
+       status_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS);
+       if (status_obj == NULL) {
+               return NT_STATUS_OK;
+       }
+
+       if (r->error_code != status_obj->current_error) {
+               /*
+                * The error code has changed from what we expect. Consider the
+                * NTSTATUS to be invalidated.
+                */
+               return NT_STATUS_OK;
+       }
+
+       return status_obj->status;
+}
+
+static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *kdc_db_ctx,
+                                           const hdb_entry *entry,
+                                           hdb_request_t r)
+{
+       TALLOC_CTX *frame = talloc_stackframe();
+       const struct authn_audit_info *server_audit_info = NULL;
+       struct tsocket_address *remote_host = NULL;
+       struct samba_kdc_entry *client_entry = NULL;
+       struct dom_sid sid_buf = {};
+       const char *account_name = NULL;
+       const char *domain_name = NULL;
+       const struct dom_sid *sid = NULL;
+       size_t sa_socklen = 0;
+       NTSTATUS auth_status = NT_STATUS_OK;
+       krb5_error_code ret = 0;
+       krb5_error_code final_ret = 0;
+
+       /* Have we got a status code indicating an error? */
+       auth_status = hdb_samba4_get_ntstatus(r);
+       if (!NT_STATUS_IS_OK(auth_status)) {
+               /*
+                * Include this status code in the ‘e-data’ field of the reply.
+                */
+               ret = hdb_samba4_set_edata_from_ntstatus(r, auth_status);
+               if (ret) {
+                       final_ret = ret;
+               }
+       } else if (entry == NULL) {
+               auth_status = NT_STATUS_NO_SUCH_USER;
+       } else if (r->error_code) {
+               /*
+                * Don’t include a status code in the reply. Just log the
+                * request as being unsuccessful.
+                */
+               auth_status = NT_STATUS_UNSUCCESSFUL;
+       }
+
+       switch (r->addr->sa_family) {
+       case AF_INET:
+               sa_socklen = sizeof(struct sockaddr_in);
+               break;
+#ifdef HAVE_IPV6
+       case AF_INET6:
+               sa_socklen = sizeof(struct sockaddr_in6);
+               break;
+#endif
+       }
+
+       ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
+                                               sa_socklen,
+                                               &remote_host);
+       if (ret != 0) {
+               remote_host = NULL;
+               /* Ignore the error. */
+       }
+
+       server_audit_info = hdb_samba4_get_server_audit_info(r);
+
+       if (entry != NULL) {
+               client_entry = talloc_get_type_abort(entry->context,
+                                                    struct samba_kdc_entry);
+
+               ret = samdb_result_dom_sid_buf(client_entry->msg, "objectSid", &sid_buf);
+               if (ret) {
+                       /* Ignore the error. */
+               } else {
+                       sid = &sid_buf;
+               }
+
+               account_name = ldb_msg_find_attr_as_string(client_entry->msg, "sAMAccountName", NULL);
+               domain_name = lpcfg_sam_name(kdc_db_ctx->lp_ctx);
+       }
+
+       log_authz_event(kdc_db_ctx->msg_ctx,
+                       kdc_db_ctx->lp_ctx,
+                       remote_host,
+                       NULL /* local */,
+                       server_audit_info,
+                       r->sname,
+                       "TGS-REQ with Ticket-Granting Ticket",
+                       domain_name,
+                       account_name,
+                       sid,
+                       lpcfg_netbios_name(kdc_db_ctx->lp_ctx),
+                       krb5_kdc_get_time(),
+                       auth_status);
+
+       talloc_free(frame);
+       if (final_ret) {
+               r->error_code = final_ret;
+       }
+       return final_ret;
+}
+
+static krb5_error_code hdb_samba4_audit(krb5_context context,
+                                       HDB *db,
+                                       hdb_entry *entry,
+                                       hdb_request_t r)
+{
+       struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+                                                                       struct samba_kdc_db_context);
+       struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
+       heim_object_t auth_details_obj = NULL;
+       const char *auth_details = NULL;
+       char *etype_str = NULL;
+       heim_object_t hdb_auth_status_obj = NULL;
+       int hdb_auth_status;
+       heim_object_t pa_type_obj = NULL;
+       const char *pa_type = NULL;
+       struct auth_usersupplied_info ui;
+       size_t sa_socklen = 0;
+       const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
+       krb5_error_code final_ret = 0;
+       NTSTATUS edata_status;
+
+       if (req->msg_type == krb_tgs_req) {
+               return hdb_samba4_tgs_audit(kdc_db_ctx, entry, r);
+       }
+
+       if (r->error_code == KRB5KDC_ERR_PREAUTH_REQUIRED) {
+               /* Let’s not log PREAUTH_REQUIRED errors. */
+               return 0;
+       }
+
+       edata_status = hdb_samba4_get_ntstatus(r);
+
+       hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
+       if (hdb_auth_status_obj == NULL) {
+               /* No status code found, so just return. */
+               return 0;
+       }
+
+       hdb_auth_status = heim_number_get_int(hdb_auth_status_obj);
+
+       pa_type_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_NAME);
+       if (pa_type_obj != NULL) {
+               pa_type = heim_string_get_utf8(pa_type_obj);
+       }
+
+       auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
+       if (auth_details_obj != NULL) {
+               auth_details = heim_string_get_utf8(auth_details_obj);
+       } else {
+               auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
+               if (auth_details_obj != NULL) {
+                       auth_details = heim_string_get_utf8(auth_details_obj);
+               } else {
+                       heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
+                       if (etype_obj != NULL) {
+                               int etype = heim_number_get_int(etype_obj);
+
+                               krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
+                               if (ret == 0) {
+                                       auth_details = etype_str;
+                               } else {
+                                       auth_details = "unknown enctype";
+                               }
+                       }
+               }
+       }
+
+       /*
+        * Forcing this via the NTLM auth structure is not ideal, but
+        * it is the most practical option right now, and ensures the
+        * logs are consistent, even if some elements are always NULL.
+        */
+       ui = (struct auth_usersupplied_info) {
+               .was_mapped = true,
+               .client = {
+                       .account_name = r->cname,
+                       .domain_name = NULL,
+               },
+               .service_description = "Kerberos KDC",
+               .auth_description = "Unknown Auth Description",
+               .password_type = auth_details,
+               .logon_id = generate_random_u64(),
+       };
+
+       switch (r->addr->sa_family) {
+       case AF_INET:
+               sa_socklen = sizeof(struct sockaddr_in);
+               break;
+#ifdef HAVE_IPV6
+       case AF_INET6:
+               sa_socklen = sizeof(struct sockaddr_in6);
+               break;
+#endif
+       }
+
+       switch (hdb_auth_status) {
+       default:
+       {
+               TALLOC_CTX *frame = talloc_stackframe();
+               struct samba_kdc_entry *p = talloc_get_type_abort(entry->context,
+                                                                 struct samba_kdc_entry);
+               struct dom_sid *sid
+                       = samdb_result_dom_sid(frame, p->msg, "objectSid");
+               const char *account_name
+                       = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
+               const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
+               struct tsocket_address *remote_host;
+               const char *auth_description = NULL;
+               const struct authn_audit_info *client_audit_info = NULL;
+               const struct authn_audit_info *server_audit_info = NULL;
+               NTSTATUS status;
+               int ret;
+               bool rwdc_fallback = false;
+
+               ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
+                                                       sa_socklen,
+                                                       &remote_host);
+               if (ret != 0) {
+                       ui.remote_host = NULL;
+               } else {
+                       ui.remote_host = remote_host;
+               }
+
+               ui.mapped.account_name = account_name;
+               ui.mapped.domain_name = domain_name;
+
+               if (pa_type != NULL) {
+                       auth_description = talloc_asprintf(frame,
+                                                          "%s Pre-authentication",
+                                                          pa_type);
+                       if (auth_description == NULL) {
+                               auth_description = pa_type;
+                       }
+               } else {
+                       auth_description = "Unknown Pre-authentication";
+               }
+               ui.auth_description = auth_description;
+
+               if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+                       struct netr_SendToSamBase *send_to_sam = NULL;
+
+                       /*
+                        * TODO: We could log the AS-REQ authorization success here as
+                        * well.  However before we do that, we need to pass
+                        * in the PAC here or re-calculate it.
+                        */
+                       status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
+                                                                 domain_dn, true, frame, &send_to_sam);
+                       if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+                               edata_status = status;
 
-       return samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
-                                                  entry,
-                                                  certificate_principal);
+                               r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+                               rwdc_fallback = kdc_db_ctx->rodc;
+                       } else if (!NT_STATUS_IS_OK(status)) {
+                               r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+                               rwdc_fallback = kdc_db_ctx->rodc;
+                       } else {
+                               if (r->error_code == KRB5KDC_ERR_NEVER_VALID) {
+                                       edata_status = status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+                               } else {
+                                       status = krb5_to_nt_status(r->error_code);
+                               }
+
+                               if (kdc_db_ctx->rodc && send_to_sam != NULL) {
+                                       reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
+                               }
+                       }
+
+                       /* This is the final success */
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+                       /*
+                        * This was only a pre-authentication success,
+                        * but we didn't reach the final
+                        * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+                        * so consult the error code.
+                        */
+                       if (r->error_code == 0) {
+                               DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
+                                       "with error=0 => INTERNAL_ERROR\n");
+                               status = NT_STATUS_INTERNAL_ERROR;
+                               r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+                       } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+                               status = p->reject_status;
+                       } else {
+                               status = krb5_to_nt_status(r->error_code);
+                       }
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
+                       /*
+                        * This was only a pre-authentication success,
+                        * but we didn't reach the final
+                        * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+                        * so consult the error code.
+                        */
+                       if (r->error_code == 0) {
+                               DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
+                                       "with error=0 => INTERNAL_ERROR\n");
+                               status = NT_STATUS_INTERNAL_ERROR;
+                               r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+                       } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+                               status = p->reject_status;
+                       } else {
+                               status = krb5_to_nt_status(r->error_code);
+                       }
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_FOUND) {
+                       /*
+                        * We found the client principal,
+                        * but we didn’t reach the final
+                        * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+                        * so consult the error code.
+                        */
+                       if (r->error_code == 0) {
+                               DBG_ERR("ERROR: CLIENT_FOUND "
+                                       "with error=0 => INTERNAL_ERROR\n");
+                               status = NT_STATUS_INTERNAL_ERROR;
+                               r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+                       } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+                               status = p->reject_status;
+                       } else {
+                               status = krb5_to_nt_status(r->error_code);
+                       }
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
+                       status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
+                       status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
+                       if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+                               edata_status = status;
+
+                               r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+                       } else {
+                               status = NT_STATUS_WRONG_PASSWORD;
+                       }
+                       rwdc_fallback = kdc_db_ctx->rodc;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY) {
+                       /*
+                        * The pre-authentication succeeds with a password
+                        * from the password history, so we don't
+                        * update the badPwdCount, but still return
+                        * PREAUTH_FAILED and need to forward to
+                        * a RWDC in order to produce an authoritative
+                        * response for the client.
+                        */
+                       status = NT_STATUS_WRONG_PASSWORD;
+                       rwdc_fallback = kdc_db_ctx->rodc;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
+                       edata_status = status = NT_STATUS_ACCOUNT_LOCKED_OUT;
+                       rwdc_fallback = kdc_db_ctx->rodc;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
+                       if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+                               status = NT_STATUS_PKINIT_NAME_MISMATCH;
+                       } else {
+                               status = NT_STATUS_ACCOUNT_RESTRICTION;
+                       }
+                       rwdc_fallback = kdc_db_ctx->rodc;
+               } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
+                       if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+                               status = NT_STATUS_PKINIT_FAILURE;
+                       } else {
+                               status = NT_STATUS_GENERIC_COMMAND_FAILED;
+                       }
+                       rwdc_fallback = kdc_db_ctx->rodc;
+               } else {
+                       DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
+                               hdb_auth_status);
+                       status = NT_STATUS_INTERNAL_ERROR;
+                       r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+               }
+
+               if (!NT_STATUS_IS_OK(edata_status)) {
+                       krb5_error_code code;
+
+                       code = hdb_samba4_set_edata_from_ntstatus(r, edata_status);
+                       if (code) {
+                               r->error_code = final_ret = code;
+                       }
+               }
+
+               if (rwdc_fallback) {
+                       /*
+                        * Forward the request to an RWDC in order
+                        * to give an authoritative answer to the client.
+                        */
+                       auth_description = talloc_asprintf(frame,
+                                                          "%s,Forward-To-RWDC",
+                                                          ui.auth_description);
+                       if (auth_description != NULL) {
+                               ui.auth_description = auth_description;
+                       }
+                       final_ret = HDB_ERR_NOT_FOUND_HERE;
+               }
+
+               client_audit_info = hdb_samba4_get_client_audit_info(r);
+               server_audit_info = hdb_samba4_get_server_audit_info(r);
+
+               log_authentication_event(kdc_db_ctx->msg_ctx,
+                                        kdc_db_ctx->lp_ctx,
+                                        &r->tv_start,
+                                        &ui,
+                                        status,
+                                        domain_name,
+                                        account_name,
+                                        sid,
+                                        client_audit_info,
+                                        server_audit_info);
+               if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
+                       /*
+                        * If we're running under make test
+                        * just panic
+                        */
+                       DBG_ERR("Unexpected situation => PANIC\n");
+                       smb_panic("hdb_samba4_audit: Unexpected situation");
+               }
+               TALLOC_FREE(frame);
+               break;
+       }
+       case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
+       {
+               struct tsocket_address *remote_host;
+               int ret;
+               TALLOC_CTX *frame = talloc_stackframe();
+               ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
+                                                       sa_socklen,
+                                                       &remote_host);
+               if (ret != 0) {
+                       ui.remote_host = NULL;
+               } else {
+                       ui.remote_host = remote_host;
+               }
+
+               if (pa_type == NULL) {
+                       pa_type = "AS-REQ";
+               }
+
+               ui.auth_description = pa_type;
+
+               /* Note this is not forwarded to an RWDC */
+
+               log_authentication_event(kdc_db_ctx->msg_ctx,
+                                        kdc_db_ctx->lp_ctx,
+                                        &r->tv_start,
+                                        &ui,
+                                        NT_STATUS_NO_SUCH_USER,
+                                        NULL, NULL,
+                                        NULL,
+                                        NULL /* client_audit_info */,
+                                        NULL /* server_audit_info */);
+               TALLOC_FREE(frame);
+               break;
+       }
+       }
+
+       free(etype_str);
+
+       return final_ret;
 }
 
 /* This interface is to be called by the KDC and libnet_keytab_dump,
@@ -160,38 +1194,44 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
  * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
 
 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
-                              krb5_context context, struct HDB **db)
+                              krb5_context context, struct HDB **db,
+                              struct samba_kdc_db_context **kdc_db_ctx)
 {
-       struct samba_kdc_db_context *kdc_db_ctx;
        NTSTATUS nt_status;
 
-       *db = talloc(base_ctx, HDB);
+       if (hdb_interface_version != HDB_INTERFACE_VERSION) {
+               krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
+               return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
+       }
+
+       *db = talloc_zero(base_ctx, HDB);
        if (!*db) {
-               krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+               krb5_set_error_message(context, ENOMEM, "talloc_zero: out of memory");
                return NT_STATUS_NO_MEMORY;
        }
 
        (*db)->hdb_master_key_set = 0;
        (*db)->hdb_db = NULL;
-       (*db)->hdb_capability_flags = 0;
+       (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
 
-       nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
+       nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, kdc_db_ctx);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(*db);
                return nt_status;
        }
-       (*db)->hdb_db = kdc_db_ctx;
+       (*db)->hdb_db = *kdc_db_ctx;
 
        (*db)->hdb_dbc = NULL;
        (*db)->hdb_open = hdb_samba4_open;
        (*db)->hdb_close = hdb_samba4_close;
+       (*db)->hdb_free_entry_context = hdb_samba4_free_entry_context;
        (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
        (*db)->hdb_store = hdb_samba4_store;
-       (*db)->hdb_remove = hdb_samba4_remove;
        (*db)->hdb_firstkey = hdb_samba4_firstkey;
        (*db)->hdb_nextkey = hdb_samba4_nextkey;
        (*db)->hdb_lock = hdb_samba4_lock;
        (*db)->hdb_unlock = hdb_samba4_unlock;
+       (*db)->hdb_set_sync = hdb_samba4_set_sync;
        (*db)->hdb_rename = hdb_samba4_rename;
        /* we don't implement these, as we are not a lockable database */
        (*db)->hdb__get = NULL;
@@ -200,42 +1240,31 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
        (*db)->hdb__del = NULL;
        (*db)->hdb_destroy = hdb_samba4_destroy;
 
-       (*db)->hdb_auth_status = NULL;
-       (*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server;
+       (*db)->hdb_audit = hdb_samba4_audit;
+       (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
+       (*db)->hdb_check_rbcd = hdb_samba4_check_rbcd;
        (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
-       (*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server;
+       (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
 
        return NT_STATUS_OK;
 }
 
-static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg)
+NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
+                                      krb5_context context, struct HDB **db)
 {
        NTSTATUS nt_status;
-       void *ptr;
-       struct samba_kdc_base_context *base_ctx;
 
-       if (sscanf(arg, "&%p", &ptr) != 1) {
-               return EINVAL;
-       }
-       base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context);
-       /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */
-       nt_status = hdb_samba4_create_kdc(base_ctx, context, db);
+       /* This is only used in other callers */
+       struct samba_kdc_db_context *kdc_db_ctx = NULL;
 
-       if (NT_STATUS_IS_OK(nt_status)) {
-               return 0;
+       nt_status = hdb_samba4_create_kdc(base_ctx, context, db, &kdc_db_ctx);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               return nt_status;
        }
-       return EINVAL;
-}
 
-/* Only used in the hdb-backed keytab code
- * for a keytab of 'samba4&<address>', to find
- * kpasswd's key in the main DB, and to
- * copy all the keys into a file (libnet_keytab_export)
- *
- * The <address> is the string form of a pointer to a talloced struct hdb_samba_context
- */
-struct hdb_method hdb_samba4 = {
-       .interface_version = HDB_INTERFACE_VERSION,
-       .prefix = "samba4",
-       .create = hdb_samba4_create
-};
+       (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno;
+       (*db)->hdb_firstkey = hdb_samba4_nextkey_panic;
+       (*db)->hdb_nextkey = hdb_samba4_nextkey_panic;
+
+       return NT_STATUS_OK;
+}