#include "includes.h"
#include "kdc/kdc-glue.h"
#include "kdc/db-glue.h"
+#include "kdc/pac-glue.h"
#include "auth/auth_sam.h"
#include "auth/common_auth.h"
+#include "auth/authn_policy.h"
#include <ldb.h>
#include "sdb.h"
#include "sdb_hdb.h"
#include "../lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/ndr_winbind_c.h"
#include "lib/messaging/irpc.h"
+#include "hdb.h"
+#include <kdc-audit.h>
+#include <kdc-plugin.h>
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
{
return HDB_ERR_DB_INUSE;
}
-static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
+static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return HDB_ERR_DB_INUSE;
}
-static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal)
+/*
+ * If we ever want kadmin to work fast, we might try and reopen the
+ * ldb with LDB_NOSYNC
+ */
+static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync)
{
- return HDB_ERR_DB_INUSE;
+ return 0;
+}
+
+static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db, hdb_entry *entry)
+{
+ /*
+ * This function is now called for every HDB entry, not just those with
+ * 'context' set, so we have to check that the context is not NULL.
+ */
+ if (entry->context != NULL) {
+ struct samba_kdc_entry *skdc_entry =
+ talloc_get_type_abort(entry->context,
+ struct samba_kdc_entry);
+
+ /* this function is called only from hdb_free_entry().
+ * Make sure we neutralize the destructor or we will
+ * get a double free later when hdb_free_entry() will
+ * try to call free_hdb_entry() */
+ entry->context = NULL;
+ skdc_entry->kdc_entry = NULL;
+ TALLOC_FREE(skdc_entry);
+ }
+}
+
+static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
+ struct samba_kdc_db_context *kdc_db_ctx,
+ hdb_entry *entry)
+{
+ DBG_ERR("Looked up HDB entry for unsupported FX-COOKIE.\n");
+ return HDB_ERR_NOENTRY;
}
static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
krb5_const_principal principal,
unsigned flags,
krb5_kvno kvno,
- hdb_entry_ex *entry_ex)
+ hdb_entry *entry)
{
struct samba_kdc_db_context *kdc_db_ctx;
- struct sdb_entry_ex sdb_entry_ex = {};
+ struct sdb_entry sentry = {};
krb5_error_code code, ret;
+ uint32_t sflags;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
+ if (flags & HDB_F_GET_FAST_COOKIE) {
+ return hdb_samba4_fetch_fast_cookie(context,
+ kdc_db_ctx,
+ entry);
+ }
+
+ sflags = (flags & SDB_F_HDB_MASK);
+
ret = samba_kdc_fetch(context,
kdc_db_ctx,
principal,
- flags,
+ sflags,
kvno,
- &sdb_entry_ex);
+ &sentry);
switch (ret) {
case 0:
code = 0;
return ret;
}
- ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex);
- sdb_free_entry(&sdb_entry_ex);
+ ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
+ sdb_entry_free(&sentry);
- if (code != 0 && ret != 0) {
+ if (code == 0) {
code = ret;
}
return code;
}
+static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db,
+ krb5_const_principal _principal,
+ unsigned flags,
+ krb5_kvno _kvno,
+ hdb_entry *entry)
+{
+ struct samba_kdc_db_context *kdc_db_ctx = NULL;
+ krb5_error_code ret;
+ krb5_principal kpasswd_principal = NULL;
+
+ kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+ struct samba_kdc_db_context);
+
+ ret = smb_krb5_make_principal(context, &kpasswd_principal,
+ lpcfg_realm(kdc_db_ctx->lp_ctx),
+ "kadmin", "changepw",
+ NULL);
+ if (ret) {
+ return ret;
+ }
+ smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST);
+
+ /*
+ * For the kpasswd service, always ensure we get the latest kvno. This
+ * also means we (correctly) refuse RODC-issued tickets.
+ */
+ flags &= ~HDB_F_KVNO_SPECIFIED;
+
+ /* Don't bother looking up a client or krbtgt. */
+ flags &= ~(HDB_F_GET_CLIENT|HDB_F_GET_KRBTGT);
+
+ ret = hdb_samba4_fetch_kvno(context, db,
+ kpasswd_principal,
+ flags,
+ 0,
+ entry);
+
+ krb5_free_principal(context, kpasswd_principal);
+ return ret;
+}
+
static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
- hdb_entry_ex *entry)
+ hdb_entry *entry)
{
struct samba_kdc_db_context *kdc_db_ctx;
- struct sdb_entry_ex sdb_entry_ex = {};
+ struct sdb_entry sentry = {};
krb5_error_code ret;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- ret = samba_kdc_firstkey(context, kdc_db_ctx, &sdb_entry_ex);
+ ret = samba_kdc_firstkey(context, kdc_db_ctx, SDB_F_ADMIN_DATA, &sentry);
switch (ret) {
case 0:
break;
return ret;
}
- ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
- sdb_free_entry(&sdb_entry_ex);
+ ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
+ sdb_entry_free(&sentry);
return ret;
}
static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
- hdb_entry_ex *entry)
+ hdb_entry *entry)
{
struct samba_kdc_db_context *kdc_db_ctx;
- struct sdb_entry_ex sdb_entry_ex = {};
+ struct sdb_entry sentry = {};
krb5_error_code ret;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- ret = samba_kdc_nextkey(context, kdc_db_ctx, &sdb_entry_ex);
+ ret = samba_kdc_nextkey(context, kdc_db_ctx, SDB_F_ADMIN_DATA, &sentry);
switch (ret) {
case 0:
break;
return ret;
}
- ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
- sdb_free_entry(&sdb_entry_ex);
+ ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
+ sdb_entry_free(&sentry);
return ret;
}
+static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db,
+ unsigned flags,
+ hdb_entry *entry)
+{
+ DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n");
+ smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab");
+}
+
static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
{
talloc_free(db);
static krb5_error_code
hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
- hdb_entry_ex *entry,
+ hdb_entry *entry,
krb5_const_principal target_principal)
{
- struct samba_kdc_db_context *kdc_db_ctx;
- struct samba_kdc_entry *skdc_entry;
- krb5_error_code ret;
+ struct samba_kdc_db_context *kdc_db_ctx = NULL;
+ struct samba_kdc_entry *skdc_entry = NULL;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- skdc_entry = talloc_get_type_abort(entry->ctx,
+ skdc_entry = talloc_get_type_abort(entry->context,
struct samba_kdc_entry);
- ret = samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
- skdc_entry,
- target_principal);
- switch (ret) {
- case 0:
- break;
- case SDB_ERR_WRONG_REALM:
- ret = HDB_ERR_WRONG_REALM;
- break;
- case SDB_ERR_NOENTRY:
- ret = HDB_ERR_NOENTRY;
- break;
- case SDB_ERR_NOT_FOUND_HERE:
- ret = HDB_ERR_NOT_FOUND_HERE;
- break;
- default:
- break;
+ return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
+ skdc_entry,
+ target_principal);
+}
+
+static krb5_error_code
+hdb_samba4_check_rbcd(krb5_context context, HDB *db,
+ const hdb_entry *client_krbtgt,
+ const hdb_entry *client,
+ const hdb_entry *device_krbtgt,
+ const hdb_entry *device,
+ krb5_const_principal server_principal,
+ krb5_const_pac header_pac,
+ krb5_const_pac device_pac,
+ const hdb_entry *proxy)
+{
+ struct samba_kdc_db_context *kdc_db_ctx = NULL;
+ struct samba_kdc_entry *client_skdc_entry = NULL;
+ const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL;
+ struct samba_kdc_entry *proxy_skdc_entry = NULL;
+ const struct auth_user_info_dc *client_info = NULL;
+ const struct auth_user_info_dc *device_info = NULL;
+ struct samba_kdc_entry_pac client_pac_entry = {};
+ struct auth_claims auth_claims = {};
+ TALLOC_CTX *mem_ctx = NULL;
+ krb5_error_code code;
+
+ kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+ struct samba_kdc_db_context);
+ client_skdc_entry = talloc_get_type_abort(client->context,
+ struct samba_kdc_entry);
+ client_krbtgt_skdc_entry = talloc_get_type_abort(client_krbtgt->context,
+ struct samba_kdc_entry);
+ proxy_skdc_entry = talloc_get_type_abort(proxy->context,
+ struct samba_kdc_entry);
+
+ mem_ctx = talloc_new(kdc_db_ctx);
+ if (mem_ctx == NULL) {
+ return ENOMEM;
}
- return ret;
+ client_pac_entry = samba_kdc_entry_pac(header_pac,
+ client_skdc_entry,
+ samba_kdc_entry_is_trust(client_krbtgt_skdc_entry));
+
+ code = samba_kdc_get_user_info_dc(mem_ctx,
+ context,
+ kdc_db_ctx->samdb,
+ client_pac_entry,
+ &client_info,
+ NULL /* resource_groups_out */);
+ if (code != 0) {
+ goto out;
+ }
+
+ code = samba_kdc_get_claims_data(mem_ctx,
+ context,
+ kdc_db_ctx->samdb,
+ client_pac_entry,
+ &auth_claims.user_claims);
+ if (code) {
+ goto out;
+ }
+
+ if (device != NULL) {
+ struct samba_kdc_entry *device_skdc_entry = NULL;
+ const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
+ struct samba_kdc_entry_pac device_pac_entry = {};
+
+ device_skdc_entry = talloc_get_type_abort(device->context,
+ struct samba_kdc_entry);
+
+ if (device_krbtgt != NULL) {
+ device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
+ struct samba_kdc_entry);
+ }
+
+ device_pac_entry = samba_kdc_entry_pac(device_pac,
+ device_skdc_entry,
+ samba_kdc_entry_is_trust(device_krbtgt_skdc_entry));
+
+ code = samba_kdc_get_user_info_dc(mem_ctx,
+ context,
+ kdc_db_ctx->samdb,
+ device_pac_entry,
+ &device_info,
+ NULL /* resource_groups_out */);
+ if (code) {
+ goto out;
+ }
+
+ code = samba_kdc_get_claims_data(mem_ctx,
+ context,
+ kdc_db_ctx->samdb,
+ device_pac_entry,
+ &auth_claims.device_claims);
+ if (code) {
+ goto out;
+ }
+ }
+
+ code = samba_kdc_check_s4u2proxy_rbcd(context,
+ kdc_db_ctx,
+ client->principal,
+ server_principal,
+ client_info,
+ device_info,
+ auth_claims,
+ proxy_skdc_entry);
+out:
+ talloc_free(mem_ctx);
+ return code;
}
static krb5_error_code
hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
- hdb_entry_ex *entry,
+ hdb_entry *entry,
krb5_const_principal certificate_principal)
{
struct samba_kdc_db_context *kdc_db_ctx;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- skdc_entry = talloc_get_type_abort(entry->ctx,
+ skdc_entry = talloc_get_type_abort(entry->context,
struct samba_kdc_entry);
ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
}
static krb5_error_code
-hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
- hdb_entry_ex *client_entry,
- hdb_entry_ex *server_target_entry)
+hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
+ hdb_entry *client_entry,
+ hdb_entry *server_target_entry)
{
struct samba_kdc_entry *skdc_client_entry
- = talloc_get_type_abort(client_entry->ctx,
+ = talloc_get_type_abort(client_entry->context,
struct samba_kdc_entry);
struct samba_kdc_entry *skdc_server_target_entry
- = talloc_get_type_abort(server_target_entry->ctx,
+ = talloc_get_type_abort(server_target_entry->context,
struct samba_kdc_entry);
- return samba_kdc_check_s4u2self(context,
- skdc_client_entry,
- skdc_server_target_entry);
+ return samba_kdc_check_client_matches_target_service(context,
+ skdc_client_entry,
+ skdc_server_target_entry);
}
static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
{
struct dcerpc_binding_handle *irpc_handle;
struct winbind_SendToSam req;
+ struct tevent_req *subreq = NULL;
irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
"winbind_server",
&ndr_table_winbind);
if (irpc_handle == NULL) {
- DEBUG(0, ("No winbind_server running!\n"));
+ DBG_ERR("No winbind_server running!\n");
return;
}
req.in.message = *send_to_sam;
- dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
- irpc_handle, &req);
+ /*
+ * This seem to rely on the current IRPC implementation,
+ * which delivers the message in the _send function.
+ *
+ * TODO: we need a ONE_WAY IRPC handle and register
+ * a callback and wait for it to be triggered!
+ */
+ subreq = dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
+ irpc_handle, &req);
+
+ /* we aren't interested in a reply */
+ TALLOC_FREE(subreq);
}
-static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
- struct samba_kdc_db_context *kdc_db_ctx,
- struct auth_usersupplied_info *user_info)
+#define SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ "samba:authn_audit_info_obj"
+#define SAMBA_HDB_CLIENT_AUDIT_INFO "samba:client_audit_info"
+#define SAMBA_HDB_SERVER_AUDIT_INFO "samba:server_audit_info"
+
+#define SAMBA_HDB_NT_STATUS_OBJ "samba:nt_status_obj"
+#define SAMBA_HDB_NT_STATUS "samba:nt_status"
+
+struct hdb_audit_info_obj {
+ struct authn_audit_info *audit_info;
+};
+
+static void hdb_audit_info_obj_dealloc(void *ptr)
{
- struct dcerpc_binding_handle *irpc_handle;
- struct winbind_SamLogon req;
- struct netr_IdentityInfo *identity_info;
- struct netr_NetworkInfo *network_info;
+ struct hdb_audit_info_obj *audit_info_obj = ptr;
- irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
- "winbind_server",
- &ndr_table_winbind);
- if (irpc_handle == NULL) {
- DEBUG(0, ("Winbind forwarding for [%s]\\[%s] failed, "
- "no winbind_server running!\n",
- user_info->mapped.domain_name, user_info->mapped.account_name));
+ if (audit_info_obj == NULL) {
return;
}
- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
- if (network_info == NULL) {
- DEBUG(0, ("Winbind forwarding failed: No memory\n"));
- return;
+ TALLOC_FREE(audit_info_obj->audit_info);
+}
+
+/*
+ * Set talloc-allocated auditing information of the KDC request. On success,
+ * ‘audit_info’ is invalidated and may no longer be used by the caller.
+ */
+static krb5_error_code hdb_samba4_set_steal_audit_info(astgs_request_t r,
+ const char *key,
+ struct authn_audit_info *audit_info)
+{
+ struct hdb_audit_info_obj *audit_info_obj = NULL;
+
+ audit_info_obj = kdc_object_alloc(sizeof (*audit_info_obj),
+ SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ,
+ hdb_audit_info_obj_dealloc);
+ if (audit_info_obj == NULL) {
+ return ENOMEM;
}
- identity_info = &network_info->identity_info;
- req.in.logon_level = 2;
- req.in.logon.network = network_info;
-
- identity_info->domain_name.string = user_info->mapped.domain_name;
- identity_info->parameter_control = user_info->logon_parameters; /* TODO */
- identity_info->logon_id = user_info->logon_id;
- identity_info->account_name.string = user_info->mapped.account_name;
- identity_info->workstation.string
- = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s",
- tsocket_address_string(user_info->remote_host,
- identity_info));
- if (identity_info->workstation.string == NULL) {
- DEBUG(0, ("Winbind forwarding failed: No memory allocating workstation string\n"));
- return;
+ /*
+ * Steal a handle to the audit information onto the NULL context —
+ * Heimdal will be responsible for the deallocation of the object.
+ */
+ audit_info_obj->audit_info = talloc_steal(NULL, audit_info);
+
+ heim_audit_setkv_object((heim_svc_req_desc)r, key, audit_info_obj);
+ heim_release(audit_info_obj);
+
+ return 0;
+}
+
+/*
+ * Set talloc-allocated client auditing information of the KDC request. On
+ * success, ‘client_audit_info’ is invalidated and may no longer be used by the
+ * caller.
+ */
+krb5_error_code hdb_samba4_set_steal_client_audit_info(astgs_request_t r,
+ struct authn_audit_info *client_audit_info)
+{
+ return hdb_samba4_set_steal_audit_info(r,
+ SAMBA_HDB_CLIENT_AUDIT_INFO,
+ client_audit_info);
+}
+
+static const struct authn_audit_info *hdb_samba4_get_client_audit_info(hdb_request_t r)
+{
+ const struct hdb_audit_info_obj *audit_info_obj = NULL;
+
+ audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_CLIENT_AUDIT_INFO);
+ if (audit_info_obj == NULL) {
+ return NULL;
}
- req.in.validation_level = 3;
+ return audit_info_obj->audit_info;
+}
- /*
- * The memory in identity_info and user_info only needs to be
- * valid until the end of this function call, as it will be
- * pushed to NDR during this call
- */
-
- dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
- irpc_handle, &req);
+/*
+ * Set talloc-allocated server auditing information of the KDC request. On
+ * success, ‘server_audit_info’ is invalidated and may no longer be used by the
+ * caller.
+ */
+krb5_error_code hdb_samba4_set_steal_server_audit_info(astgs_request_t r,
+ struct authn_audit_info *server_audit_info)
+{
+ return hdb_samba4_set_steal_audit_info(r,
+ SAMBA_HDB_SERVER_AUDIT_INFO,
+ server_audit_info);
+}
+
+static const struct authn_audit_info *hdb_samba4_get_server_audit_info(hdb_request_t r)
+{
+ const struct hdb_audit_info_obj *audit_info_obj = NULL;
+
+ audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_SERVER_AUDIT_INFO);
+ if (audit_info_obj == NULL) {
+ return NULL;
+ }
+
+ return audit_info_obj->audit_info;
+}
+
+struct hdb_ntstatus_obj {
+ NTSTATUS status;
+ krb5_error_code current_error;
+};
+
+/*
+ * Add an NTSTATUS code to a Kerberos request. ‘error’ is the error value we
+ * want to return to the client. When it comes time to generating the error
+ * request, we shall compare this error value to whatever error we are about to
+ * return; if the two match, we shall replace the ‘e-data’ field in the reply
+ * with the NTSTATUS code.
+ */
+krb5_error_code hdb_samba4_set_ntstatus(astgs_request_t r,
+ const NTSTATUS status,
+ const krb5_error_code error)
+{
+ struct hdb_ntstatus_obj *status_obj = NULL;
+
+ status_obj = kdc_object_alloc(sizeof (*status_obj),
+ SAMBA_HDB_NT_STATUS_OBJ,
+ NULL);
+ if (status_obj == NULL) {
+ return ENOMEM;
+ }
+
+ *status_obj = (struct hdb_ntstatus_obj) {
+ .status = status,
+ .current_error = error,
+ };
+
+ heim_audit_setkv_object((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS, status_obj);
+ heim_release(status_obj);
+
+ return 0;
+}
+
+static krb5_error_code hdb_samba4_make_nt_status_edata(const NTSTATUS status,
+ const uint32_t flags,
+ krb5_data *edata_out)
+{
+ const uint32_t status_code = NT_STATUS_V(status);
+ const uint32_t zero = 0;
+ KERB_ERROR_DATA error_data;
+ krb5_data e_data;
+
+ krb5_error_code ret;
+ size_t size;
+
+ /* The raw KERB-ERR-TYPE-EXTENDED structure. */
+ uint8_t data[12];
+
+ PUSH_LE_U32(data, 0, status_code);
+ PUSH_LE_U32(data, 4, zero);
+ PUSH_LE_U32(data, 8, flags);
+
+ e_data = (krb5_data) {
+ .data = &data,
+ .length = sizeof(data),
+ };
+
+ error_data = (KERB_ERROR_DATA) {
+ .data_type = kERB_ERR_TYPE_EXTENDED,
+ .data_value = &e_data,
+ };
+
+ ASN1_MALLOC_ENCODE(KERB_ERROR_DATA,
+ edata_out->data, edata_out->length,
+ &error_data,
+ &size, ret);
+ if (ret) {
+ return ret;
+ }
+ if (size != edata_out->length) {
+ /* Internal ASN.1 encoder error */
+ krb5_data_free(edata_out);
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+ return 0;
+}
+
+static krb5_error_code hdb_samba4_set_edata_from_ntstatus(hdb_request_t r, const NTSTATUS status)
+{
+ const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
+ krb5_error_code ret = 0;
+ krb5_data e_data;
+ uint32_t flags = 1;
+
+ if (req->msg_type == krb_tgs_req) {
+ /* This flag is used to indicate a TGS-REQ. */
+ flags |= 2;
+ }
+
+ ret = hdb_samba4_make_nt_status_edata(status, flags, &e_data);
+ if (ret) {
+ return ret;
+ }
+
+ ret = kdc_request_set_e_data((astgs_request_t)r, e_data);
+ if (ret) {
+ krb5_data_free(&e_data);
+ }
+
+ return ret;
+}
+
+static NTSTATUS hdb_samba4_get_ntstatus(hdb_request_t r)
+{
+ struct hdb_ntstatus_obj *status_obj = NULL;
+
+ status_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS);
+ if (status_obj == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ if (r->error_code != status_obj->current_error) {
+ /*
+ * The error code has changed from what we expect. Consider the
+ * NTSTATUS to be invalidated.
+ */
+ return NT_STATUS_OK;
+ }
+
+ return status_obj->status;
+}
+
+static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *kdc_db_ctx,
+ const hdb_entry *entry,
+ hdb_request_t r)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const struct authn_audit_info *server_audit_info = NULL;
+ struct tsocket_address *remote_host = NULL;
+ struct samba_kdc_entry *client_entry = NULL;
+ struct dom_sid sid_buf = {};
+ const char *account_name = NULL;
+ const char *domain_name = NULL;
+ const struct dom_sid *sid = NULL;
+ size_t sa_socklen = 0;
+ NTSTATUS auth_status = NT_STATUS_OK;
+ krb5_error_code ret = 0;
+ krb5_error_code final_ret = 0;
+
+ /* Have we got a status code indicating an error? */
+ auth_status = hdb_samba4_get_ntstatus(r);
+ if (!NT_STATUS_IS_OK(auth_status)) {
+ /*
+ * Include this status code in the ‘e-data’ field of the reply.
+ */
+ ret = hdb_samba4_set_edata_from_ntstatus(r, auth_status);
+ if (ret) {
+ final_ret = ret;
+ }
+ } else if (entry == NULL) {
+ auth_status = NT_STATUS_NO_SUCH_USER;
+ } else if (r->error_code) {
+ /*
+ * Don’t include a status code in the reply. Just log the
+ * request as being unsuccessful.
+ */
+ auth_status = NT_STATUS_UNSUCCESSFUL;
+ }
+
+ switch (r->addr->sa_family) {
+ case AF_INET:
+ sa_socklen = sizeof(struct sockaddr_in);
+ break;
+#ifdef HAVE_IPV6
+ case AF_INET6:
+ sa_socklen = sizeof(struct sockaddr_in6);
+ break;
+#endif
+ }
+
+ ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
+ sa_socklen,
+ &remote_host);
+ if (ret != 0) {
+ remote_host = NULL;
+ /* Ignore the error. */
+ }
+
+ server_audit_info = hdb_samba4_get_server_audit_info(r);
+
+ if (entry != NULL) {
+ client_entry = talloc_get_type_abort(entry->context,
+ struct samba_kdc_entry);
+
+ ret = samdb_result_dom_sid_buf(client_entry->msg, "objectSid", &sid_buf);
+ if (ret) {
+ /* Ignore the error. */
+ } else {
+ sid = &sid_buf;
+ }
+
+ account_name = ldb_msg_find_attr_as_string(client_entry->msg, "sAMAccountName", NULL);
+ domain_name = lpcfg_sam_name(kdc_db_ctx->lp_ctx);
+ }
+
+ log_authz_event(kdc_db_ctx->msg_ctx,
+ kdc_db_ctx->lp_ctx,
+ remote_host,
+ NULL /* local */,
+ server_audit_info,
+ r->sname,
+ "TGS-REQ with Ticket-Granting Ticket",
+ domain_name,
+ account_name,
+ sid,
+ lpcfg_netbios_name(kdc_db_ctx->lp_ctx),
+ krb5_kdc_get_time(),
+ auth_status);
+
+ talloc_free(frame);
+ if (final_ret) {
+ r->error_code = final_ret;
+ }
+ return final_ret;
}
-static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
- hdb_entry_ex *entry,
- struct sockaddr *from_addr,
- struct timeval *start_time,
- const char *original_client_name,
- const char *auth_type,
- int hdb_auth_status)
+static krb5_error_code hdb_samba4_audit(krb5_context context,
+ HDB *db,
+ hdb_entry *entry,
+ hdb_request_t r)
{
struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
-
struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
- uint64_t logon_id = generate_random_u64();
+ heim_object_t auth_details_obj = NULL;
+ const char *auth_details = NULL;
+ char *etype_str = NULL;
+ heim_object_t hdb_auth_status_obj = NULL;
+ int hdb_auth_status;
+ heim_object_t pa_type_obj = NULL;
+ const char *pa_type = NULL;
+ struct auth_usersupplied_info ui;
+ size_t sa_socklen = 0;
+ const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
+ krb5_error_code final_ret = 0;
+ NTSTATUS edata_status;
+
+ if (req->msg_type == krb_tgs_req) {
+ return hdb_samba4_tgs_audit(kdc_db_ctx, entry, r);
+ }
+
+ if (r->error_code == KRB5KDC_ERR_PREAUTH_REQUIRED) {
+ /* Let’s not log PREAUTH_REQUIRED errors. */
+ return 0;
+ }
+
+ edata_status = hdb_samba4_get_ntstatus(r);
+
+ hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
+ if (hdb_auth_status_obj == NULL) {
+ /* No status code found, so just return. */
+ return 0;
+ }
+
+ hdb_auth_status = heim_number_get_int(hdb_auth_status_obj);
+
+ pa_type_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_NAME);
+ if (pa_type_obj != NULL) {
+ pa_type = heim_string_get_utf8(pa_type_obj);
+ }
+
+ auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
+ if (auth_details_obj != NULL) {
+ auth_details = heim_string_get_utf8(auth_details_obj);
+ } else {
+ auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
+ if (auth_details_obj != NULL) {
+ auth_details = heim_string_get_utf8(auth_details_obj);
+ } else {
+ heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
+ if (etype_obj != NULL) {
+ int etype = heim_number_get_int(etype_obj);
+
+ krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
+ if (ret == 0) {
+ auth_details = etype_str;
+ } else {
+ auth_details = "unknown enctype";
+ }
+ }
+ }
+ }
/*
* Forcing this via the NTLM auth structure is not ideal, but
* it is the most practical option right now, and ensures the
* logs are consistent, even if some elements are always NULL.
*/
- struct auth_usersupplied_info ui = {
- .mapped_state = true,
+ ui = (struct auth_usersupplied_info) {
.was_mapped = true,
.client = {
- .account_name = original_client_name,
+ .account_name = r->cname,
.domain_name = NULL,
},
.service_description = "Kerberos KDC",
- .auth_description = "ENC-TS Pre-authentication",
- .password_type = auth_type,
- .logon_id = logon_id
+ .auth_description = "Unknown Auth Description",
+ .password_type = auth_details,
+ .logon_id = generate_random_u64(),
};
- size_t sa_socklen = 0;
-
- switch (from_addr->sa_family) {
+ switch (r->addr->sa_family) {
case AF_INET:
sa_socklen = sizeof(struct sockaddr_in);
break;
}
switch (hdb_auth_status) {
- case HDB_AUTHZ_SUCCESS:
- {
- TALLOC_CTX *frame = talloc_stackframe();
- struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
- struct samba_kdc_entry);
- struct netr_SendToSamBase *send_to_sam = NULL;
-
- /*
- * TODO: We could log the AS-REQ authorization success here as
- * well. However before we do that, we need to pass
- * in the PAC here or re-calculate it.
- */
- authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
- domain_dn, true, &send_to_sam);
- if (kdc_db_ctx->rodc && send_to_sam != NULL) {
- reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
- }
- talloc_free(frame);
- break;
- }
- case HDB_AUTH_INVALID_SIGNATURE:
- break;
- case HDB_AUTH_CORRECT_PASSWORD:
- case HDB_AUTH_WRONG_PASSWORD:
+ default:
{
TALLOC_CTX *frame = talloc_stackframe();
- struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
- struct samba_kdc_entry);
+ struct samba_kdc_entry *p = talloc_get_type_abort(entry->context,
+ struct samba_kdc_entry);
struct dom_sid *sid
= samdb_result_dom_sid(frame, p->msg, "objectSid");
const char *account_name
= ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
struct tsocket_address *remote_host;
+ const char *auth_description = NULL;
+ const struct authn_audit_info *client_audit_info = NULL;
+ const struct authn_audit_info *server_audit_info = NULL;
NTSTATUS status;
int ret;
+ bool rwdc_fallback = false;
- ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
+ ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
sa_socklen,
&remote_host);
if (ret != 0) {
ui.mapped.account_name = account_name;
ui.mapped.domain_name = domain_name;
- if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
- authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
- status = NT_STATUS_WRONG_PASSWORD;
+ if (pa_type != NULL) {
+ auth_description = talloc_asprintf(frame,
+ "%s Pre-authentication",
+ pa_type);
+ if (auth_description == NULL) {
+ auth_description = pa_type;
+ }
+ } else {
+ auth_description = "Unknown Pre-authentication";
+ }
+ ui.auth_description = auth_description;
+
+ if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+ struct netr_SendToSamBase *send_to_sam = NULL;
+
+ /*
+ * TODO: We could log the AS-REQ authorization success here as
+ * well. However before we do that, we need to pass
+ * in the PAC here or re-calculate it.
+ */
+ status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
+ domain_dn, true, frame, &send_to_sam);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+ edata_status = status;
+
+ r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+ rwdc_fallback = kdc_db_ctx->rodc;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+ rwdc_fallback = kdc_db_ctx->rodc;
+ } else {
+ if (r->error_code == KRB5KDC_ERR_NEVER_VALID) {
+ edata_status = status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+ } else {
+ status = krb5_to_nt_status(r->error_code);
+ }
+
+ if (kdc_db_ctx->rodc && send_to_sam != NULL) {
+ reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
+ }
+ }
+
+ /* This is the final success */
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
+ /*
+ * This was only a pre-authentication success,
+ * but we didn't reach the final
+ * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+ * so consult the error code.
+ */
+ if (r->error_code == 0) {
+ DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
+ "with error=0 => INTERNAL_ERROR\n");
+ status = NT_STATUS_INTERNAL_ERROR;
+ r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+ } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+ status = p->reject_status;
+ } else {
+ status = krb5_to_nt_status(r->error_code);
+ }
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
/*
- * TODO We currently send a bad password via NETLOGON,
- * however, it should probably forward the ticket to
- * another KDC to allow login after password changes.
+ * This was only a pre-authentication success,
+ * but we didn't reach the final
+ * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+ * so consult the error code.
*/
- if (kdc_db_ctx->rodc) {
- send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
+ if (r->error_code == 0) {
+ DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
+ "with error=0 => INTERNAL_ERROR\n");
+ status = NT_STATUS_INTERNAL_ERROR;
+ r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+ } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+ status = p->reject_status;
+ } else {
+ status = krb5_to_nt_status(r->error_code);
+ }
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_FOUND) {
+ /*
+ * We found the client principal,
+ * but we didn’t reach the final
+ * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
+ * so consult the error code.
+ */
+ if (r->error_code == 0) {
+ DBG_ERR("ERROR: CLIENT_FOUND "
+ "with error=0 => INTERNAL_ERROR\n");
+ status = NT_STATUS_INTERNAL_ERROR;
+ r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+ } else if (!NT_STATUS_IS_OK(p->reject_status)) {
+ status = p->reject_status;
+ } else {
+ status = krb5_to_nt_status(r->error_code);
+ }
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
+ status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
+ status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+ edata_status = status;
+
+ r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+ } else {
+ status = NT_STATUS_WRONG_PASSWORD;
+ }
+ rwdc_fallback = kdc_db_ctx->rodc;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY) {
+ /*
+ * The pre-authentication succeeds with a password
+ * from the password history, so we don't
+ * update the badPwdCount, but still return
+ * PREAUTH_FAILED and need to forward to
+ * a RWDC in order to produce an authoritative
+ * response for the client.
+ */
+ status = NT_STATUS_WRONG_PASSWORD;
+ rwdc_fallback = kdc_db_ctx->rodc;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
+ edata_status = status = NT_STATUS_ACCOUNT_LOCKED_OUT;
+ rwdc_fallback = kdc_db_ctx->rodc;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
+ if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+ status = NT_STATUS_PKINIT_NAME_MISMATCH;
+ } else {
+ status = NT_STATUS_ACCOUNT_RESTRICTION;
}
+ rwdc_fallback = kdc_db_ctx->rodc;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
+ if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+ status = NT_STATUS_PKINIT_FAILURE;
+ } else {
+ status = NT_STATUS_GENERIC_COMMAND_FAILED;
+ }
+ rwdc_fallback = kdc_db_ctx->rodc;
} else {
- status = NT_STATUS_OK;
+ DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
+ hdb_auth_status);
+ status = NT_STATUS_INTERNAL_ERROR;
+ r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
+ }
+
+ if (!NT_STATUS_IS_OK(edata_status)) {
+ krb5_error_code code;
+
+ code = hdb_samba4_set_edata_from_ntstatus(r, edata_status);
+ if (code) {
+ r->error_code = final_ret = code;
+ }
}
+ if (rwdc_fallback) {
+ /*
+ * Forward the request to an RWDC in order
+ * to give an authoritative answer to the client.
+ */
+ auth_description = talloc_asprintf(frame,
+ "%s,Forward-To-RWDC",
+ ui.auth_description);
+ if (auth_description != NULL) {
+ ui.auth_description = auth_description;
+ }
+ final_ret = HDB_ERR_NOT_FOUND_HERE;
+ }
+
+ client_audit_info = hdb_samba4_get_client_audit_info(r);
+ server_audit_info = hdb_samba4_get_server_audit_info(r);
+
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
- start_time,
+ &r->tv_start,
&ui,
status,
domain_name,
account_name,
- sid);
+ sid,
+ client_audit_info,
+ server_audit_info);
+ if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
+ /*
+ * If we're running under make test
+ * just panic
+ */
+ DBG_ERR("Unexpected situation => PANIC\n");
+ smb_panic("hdb_samba4_audit: Unexpected situation");
+ }
TALLOC_FREE(frame);
break;
}
- case HDB_AUTH_CLIENT_UNKNOWN:
+ case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
{
struct tsocket_address *remote_host;
int ret;
TALLOC_CTX *frame = talloc_stackframe();
- ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
+ ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
sa_socklen,
&remote_host);
if (ret != 0) {
ui.remote_host = remote_host;
}
+ if (pa_type == NULL) {
+ pa_type = "AS-REQ";
+ }
+
+ ui.auth_description = pa_type;
+
+ /* Note this is not forwarded to an RWDC */
+
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
- start_time,
+ &r->tv_start,
&ui,
NT_STATUS_NO_SUCH_USER,
NULL, NULL,
- NULL);
+ NULL,
+ NULL /* client_audit_info */,
+ NULL /* server_audit_info */);
TALLOC_FREE(frame);
break;
}
}
- return 0;
+
+ free(etype_str);
+
+ return final_ret;
}
/* This interface is to be called by the KDC and libnet_keytab_dump,
* kpasswdd -> krb5 -> keytab_hdb -> hdb code */
NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
- krb5_context context, struct HDB **db)
+ krb5_context context, struct HDB **db,
+ struct samba_kdc_db_context **kdc_db_ctx)
{
- struct samba_kdc_db_context *kdc_db_ctx;
NTSTATUS nt_status;
if (hdb_interface_version != HDB_INTERFACE_VERSION) {
return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
}
- *db = talloc(base_ctx, HDB);
+ *db = talloc_zero(base_ctx, HDB);
if (!*db) {
- krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
+ krb5_set_error_message(context, ENOMEM, "talloc_zero: out of memory");
return NT_STATUS_NO_MEMORY;
}
(*db)->hdb_db = NULL;
(*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
- nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
+ nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, kdc_db_ctx);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(*db);
return nt_status;
}
- (*db)->hdb_db = kdc_db_ctx;
+ (*db)->hdb_db = *kdc_db_ctx;
(*db)->hdb_dbc = NULL;
(*db)->hdb_open = hdb_samba4_open;
(*db)->hdb_close = hdb_samba4_close;
+ (*db)->hdb_free_entry_context = hdb_samba4_free_entry_context;
(*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
(*db)->hdb_store = hdb_samba4_store;
- (*db)->hdb_remove = hdb_samba4_remove;
(*db)->hdb_firstkey = hdb_samba4_firstkey;
(*db)->hdb_nextkey = hdb_samba4_nextkey;
(*db)->hdb_lock = hdb_samba4_lock;
(*db)->hdb_unlock = hdb_samba4_unlock;
+ (*db)->hdb_set_sync = hdb_samba4_set_sync;
(*db)->hdb_rename = hdb_samba4_rename;
/* we don't implement these, as we are not a lockable database */
(*db)->hdb__get = NULL;
(*db)->hdb__del = NULL;
(*db)->hdb_destroy = hdb_samba4_destroy;
- (*db)->hdb_auth_status = hdb_samba4_auth_status;
+ (*db)->hdb_audit = hdb_samba4_audit;
(*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
+ (*db)->hdb_check_rbcd = hdb_samba4_check_rbcd;
(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
- (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
+ (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
+ krb5_context context, struct HDB **db)
+{
+ NTSTATUS nt_status;
+
+ /* This is only used in other callers */
+ struct samba_kdc_db_context *kdc_db_ctx = NULL;
+
+ nt_status = hdb_samba4_create_kdc(base_ctx, context, db, &kdc_db_ctx);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno;
+ (*db)->hdb_firstkey = hdb_samba4_nextkey_panic;
+ (*db)->hdb_nextkey = hdb_samba4_nextkey_panic;
return NT_STATUS_OK;
}