s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB

[samba.git] / source4 / kdc / kpasswdd.c

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 2fa07d0531c4ba7231528faf41652a30b6b417d8..3a39348578594461820adba0cb5d2ced1ee1321c 100644 (file)
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -47,7 +47,7 @@
 struct kpasswd_socket {
        struct socket_context *sock;
        struct kdc_server *kdc;
-       struct fd_event *fde;
+       struct tevent_fd *fde;
 
        /* a queue of outgoing replies that have been deferred */
        struct kdc_reply *send_queue;
@@ -61,12 +61,11 @@ static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
                                     DATA_BLOB *error_blob) 
 {
        char *error_string_utf8;
-       ssize_t len;
+       size_t len;
        
        DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
 
-       len = push_utf8_talloc(mem_ctx, &error_string_utf8, error_string);
-       if (len == -1) {
+       if (!push_utf8_talloc(mem_ctx, &error_string_utf8, error_string, &len)) {
                return false;
        }
 
@@ -219,7 +218,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
                                    DATA_BLOB *reply)
 {
        struct auth_session_info *session_info;
-       ssize_t pw_len;
+       size_t pw_len;
 
        if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security, 
                                                 &session_info))) {
@@ -233,13 +232,11 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
        case KRB5_KPASSWD_VERS_CHANGEPW:
        {
                DATA_BLOB password;
-               pw_len = convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), 
+               if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), 
                                               CH_UTF8, CH_UTF16, 
                                               (const char *)input->data, 
                                               input->length,
-                                              (void **)&password.data);
-
-               if (pw_len == -1) {
+                                              (void **)&password.data, &pw_len, false)) {
                        return false;
                }
                password.length = pw_len;
@@ -281,12 +278,11 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
                                                        reply);
                }
                
-               pw_len = convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), 
+               if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), 
                                               CH_UTF8, CH_UTF16, 
                                               (const char *)chpw.newpasswd.data, 
                                               chpw.newpasswd.length,
-                                              (void **)&password.data);
-               if (pw_len == -1) {
+                                              (void **)&password.data, &pw_len, false)) {
                        free_ChangePasswdDataMS(&chpw);
                        return false;
                }
@@ -451,7 +447,9 @@ bool kpasswdd_process(struct kdc_server *kdc,
        struct cli_credentials *server_credentials;
        struct gensec_security *gensec_security;
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-       
+
+       char *keytab_name;
+
        if (!tmp_ctx) {
                return false;
        }
@@ -483,14 +481,6 @@ bool kpasswdd_process(struct kdc_server *kdc,
        ap_req = data_blob_const(&input->data[header_len], ap_req_len);
        krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
        
-       nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, 
-                                       lp_gensec_settings(tmp_ctx, kdc->task->lp_ctx), kdc->task->msg_ctx, 
-                                       &gensec_security);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               talloc_free(tmp_ctx);
-               return false;
-       }
-
        server_credentials = cli_credentials_init(tmp_ctx);
        if (!server_credentials) {
                DEBUG(1, ("Failed to init server credentials\n"));
@@ -501,8 +491,12 @@ bool kpasswdd_process(struct kdc_server *kdc,
         * we already have, rather than a new context */        
        cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
        cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
-       nt_status = cli_credentials_set_stored_principal(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, "kadmin/changepw");
-       if (!NT_STATUS_IS_OK(nt_status)) {
+
+       keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->hdb_samba4_context);
+
+       cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
+       ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
+       if (ret != 0) {
                ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, 
                                                       KRB5_KPASSWD_HARDERROR,
                                                       talloc_asprintf(mem_ctx, 
@@ -517,7 +511,16 @@ bool kpasswdd_process(struct kdc_server *kdc,
                return ret;
        }
        
-       nt_status = gensec_set_credentials(gensec_security, server_credentials);
+       /* We don't strictly need to call this wrapper, and could call
+        * gensec_server_start directly, as we have no need for NTLM
+        * and we have a PAC, but this ensures that the wrapper can be
+        * safely extended for other helpful things in future */
+       nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx, 
+                                             kdc->task->msg_ctx,
+                                             kdc->task->lp_ctx,
+                                             server_credentials,
+                                             "kpasswd", 
+                                             &gensec_security);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(tmp_ctx);
                return false;