*/
#include "includes.h"
-#include "auth/auth.h"
-#include "auth/credentials/credentials.h"
-#include "dsdb/samdb/samdb.h"
-#include "param/param.h"
#include "kdc/kdc-glue.h"
#include "kdc/db-glue.h"
+#include "auth/auth_sam.h"
+#include <ldb.h>
static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
{
}
static krb5_error_code
-hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db,
+hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
hdb_entry_ex *entry,
krb5_const_principal target_principal)
{
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx,
- entry,
- target_principal);
+ return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
+ entry,
+ target_principal);
}
static krb5_error_code
certificate_principal);
}
+static krb5_error_code
+hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
+ hdb_entry_ex *entry,
+ krb5_const_principal target_principal)
+{
+ struct samba_kdc_db_context *kdc_db_ctx;
+
+ kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+ struct samba_kdc_db_context);
+
+ return samba_kdc_check_s4u2self(context, kdc_db_ctx,
+ entry,
+ target_principal);
+}
+
+static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
+ hdb_entry_ex *entry,
+ int hdb_auth_status)
+{
+ struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+ struct samba_kdc_db_context);
+ struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
+
+ if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
+ authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, ldb_get_default_basedn(kdc_db_ctx->samdb));
+ } else if (hdb_auth_status == HDB_AUTH_SUCCESS) {
+ authsam_zero_bad_pwd_count(kdc_db_ctx->samdb, p->msg);
+ }
+ return 0;
+}
+
/* This interface is to be called by the KDC and libnet_keytab_dump,
* which is expecting Samba calling conventions.
* It is also called by a wrapper (hdb_samba4_create) from the
struct samba_kdc_db_context *kdc_db_ctx;
NTSTATUS nt_status;
+ if (hdb_interface_version != HDB_INTERFACE_VERSION) {
+ krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
+ return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
+ }
+
*db = talloc(base_ctx, HDB);
if (!*db) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
(*db)->hdb_master_key_set = 0;
(*db)->hdb_db = NULL;
- (*db)->hdb_capability_flags = 0;
+ (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
if (!NT_STATUS_IS_OK(nt_status)) {
(*db)->hdb__del = NULL;
(*db)->hdb_destroy = hdb_samba4_destroy;
- (*db)->hdb_auth_status = NULL;
- (*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server;
+ (*db)->hdb_auth_status = hdb_samba4_auth_status;
+ (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
- (*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server;
+ (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
return NT_STATUS_OK;
}
-
-static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg)
-{
- NTSTATUS nt_status;
- void *ptr;
- struct samba_kdc_base_context *base_ctx;
-
- if (sscanf(arg, "&%p", &ptr) != 1) {
- return EINVAL;
- }
- base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context);
- /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */
- nt_status = hdb_samba4_create_kdc(base_ctx, context, db);
-
- if (NT_STATUS_IS_OK(nt_status)) {
- return 0;
- }
- return EINVAL;
-}
-
-/* Only used in the hdb-backed keytab code
- * for a keytab of 'samba4&<address>', to find
- * kpasswd's key in the main DB, and to
- * copy all the keys into a file (libnet_keytab_export)
- *
- * The <address> is the string form of a pointer to a talloced struct hdb_samba_context
- */
-struct hdb_method hdb_samba4 = {
- .interface_version = HDB_INTERFACE_VERSION,
- .prefix = "samba4",
- .create = hdb_samba4_create
-};