struct kpasswd_socket {
struct socket_context *sock;
struct kdc_server *kdc;
- struct fd_event *fde;
+ struct tevent_fd *fde;
/* a queue of outgoing replies that have been deferred */
struct kdc_reply *send_queue;
DATA_BLOB *error_blob)
{
char *error_string_utf8;
- ssize_t len;
+ size_t len;
DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
- len = push_utf8_talloc(mem_ctx, &error_string_utf8, error_string);
- if (len == -1) {
+ if (!push_utf8_talloc(mem_ctx, &error_string_utf8, error_string, &len)) {
return false;
}
DATA_BLOB *reply)
{
struct auth_session_info *session_info;
- ssize_t pw_len;
+ size_t pw_len;
if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
&session_info))) {
case KRB5_KPASSWD_VERS_CHANGEPW:
{
DATA_BLOB password;
- pw_len = convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
+ if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
CH_UTF8, CH_UTF16,
(const char *)input->data,
input->length,
- (void **)&password.data);
-
- if (pw_len == -1) {
+ (void **)&password.data, &pw_len, false)) {
return false;
}
password.length = pw_len;
reply);
}
- pw_len = convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
+ if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx),
CH_UTF8, CH_UTF16,
(const char *)chpw.newpasswd.data,
chpw.newpasswd.length,
- (void **)&password.data);
- if (pw_len == -1) {
+ (void **)&password.data, &pw_len, false)) {
free_ChangePasswdDataMS(&chpw);
return false;
}
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-
+
+ char *keytab_name;
+
if (!tmp_ctx) {
return false;
}
ap_req = data_blob_const(&input->data[header_len], ap_req_len);
krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
- nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx,
- lp_gensec_settings(tmp_ctx, kdc->task->lp_ctx), kdc->task->msg_ctx,
- &gensec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(tmp_ctx);
- return false;
- }
-
server_credentials = cli_credentials_init(tmp_ctx);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
* we already have, rather than a new context */
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
- nt_status = cli_credentials_set_stored_principal(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, "kadmin/changepw");
- if (!NT_STATUS_IS_OK(nt_status)) {
+
+ keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->hdb_samba4_context);
+
+ cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
+ ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
+ if (ret != 0) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
return ret;
}
- nt_status = gensec_set_credentials(gensec_security, server_credentials);
+ /* We don't strictly need to call this wrapper, and could call
+ * gensec_server_start directly, as we have no need for NTLM
+ * and we have a PAC, but this ensures that the wrapper can be
+ * safely extended for other helpful things in future */
+ nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx,
+ kdc->task->msg_ctx,
+ kdc->task->lp_ctx,
+ server_credentials,
+ "kpasswd",
+ &gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;