s4:kdc: Update to match updated Heimdal's new HDB version

Including updates to hook into the improved hdb_auth_status
by Stefan Metzmacher <metze@samba.org> from his Heimdal
upgrade branch.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 22106bf866540885ac5d2ee0e15224f6d43736de..06b8eeec41d5242672ad60a8f20329a41ec6041d 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -235,8 +235,12 @@ static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountCon
                flags.require_preauth = 0;
        } else {
                flags.require_preauth = 1;
+       }
 
+       if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
+               flags.no_auth_data_reqd = 1;
        }
+
        return flags;
 }
 
@@ -2540,9 +2544,9 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
  * the time the principal was presented to the KDC.
  */
 krb5_error_code
-samba_kdc_check_s4u2self(krb5_context context,
-                        struct samba_kdc_entry *skdc_entry_client,
-                        struct samba_kdc_entry *skdc_entry_server_target)
+samba_kdc_check_client_matches_target_service(krb5_context context,
+                                             struct samba_kdc_entry *skdc_entry_client,
+                                             struct samba_kdc_entry *skdc_entry_server_target)
 {
        struct dom_sid *orig_sid;
        struct dom_sid *target_sid;

diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h
index cadfac1deb86bb29f8fe96d12d2a72ff9035fb98..4defca2320ca1c21d5c654385fa7f83387fdfa6c 100644 (file)
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -39,7 +39,7 @@ krb5_error_code samba_kdc_nextkey(krb5_context context,
                                  struct sdb_entry_ex *entry);
 
 krb5_error_code
-samba_kdc_check_s4u2self(krb5_context context,
+samba_kdc_check_client_matches_target_service(krb5_context context,
                         struct samba_kdc_entry *skdc_entry_client,
                         struct samba_kdc_entry *skdc_entry_server_target);
 

diff --git a/source4/kdc/hdb-samba4-plugin.c b/source4/kdc/hdb-samba4-plugin.c
index 6f76124995d327bbf9e0c2ef0d173a023da2f5d2..9dc4784f379ab47c71cce7fe4c3f309d742154c4 100644 (file)
--- a/source4/kdc/hdb-samba4-plugin.c
+++ b/source4/kdc/hdb-samba4-plugin.c
@@ -72,7 +72,7 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db,
        return EINVAL;
 }
 
-#if (HDB_INTERFACE_VERSION != 8 && HDB_INTERFACE_VERSION != 7)
+#if (HDB_INTERFACE_VERSION != 11)
 #error "Unsupported Heimdal HDB version"
 #endif
 

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 92bc5ff28a69fa0a6f6dcf3d9cf588f8cc6f3d8b..9132bb46212d705a2f0a1403182f61e8dd1c776a 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -83,9 +83,13 @@ static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned
        return HDB_ERR_DB_INUSE;
 }
 
-static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal)
+/*
+ * If we ever want kadmin to work fast, we might try and reopen the
+ * ldb with LDB_NOSYNC
+ */
+static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync)
 {
-       return HDB_ERR_DB_INUSE;
+       return 0;
 }
 
 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
@@ -273,7 +277,7 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
 }
 
 static krb5_error_code
-hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
+hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
                          hdb_entry_ex *client_entry,
                          hdb_entry_ex *server_target_entry)
 {
@@ -284,9 +288,9 @@ hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
                = talloc_get_type_abort(server_target_entry->ctx,
                                        struct samba_kdc_entry);
 
-       return samba_kdc_check_s4u2self(context,
-                                       skdc_client_entry,
-                                       skdc_server_target_entry);
+       return samba_kdc_check_client_matches_target_service(context,
+                                                            skdc_client_entry,
+                                                            skdc_server_target_entry);
 }
 
 static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
@@ -365,13 +369,15 @@ static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
                                       irpc_handle, &req);
 }
 
-static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
+static krb5_error_code hdb_samba4_auth_status(krb5_context context,
+                                             HDB *db,
                                              hdb_entry_ex *entry,
-                                             struct sockaddr *from_addr,
-                                             struct timeval *start_time,
+                                             const struct timeval *start_time,
+                                             const struct sockaddr *from_addr,
                                              const char *original_client_name,
-                                             const char *auth_type,
-                                             int hdb_auth_status)
+                                             int hdb_auth_status,
+                                             const char *auth_details,
+                                             const char *pa_type)
 {
        struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
                                                                        struct samba_kdc_db_context);
@@ -392,8 +398,8 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
                        .domain_name = NULL,
                },
                .service_description = "Kerberos KDC",
-               .auth_description = "ENC-TS Pre-authentication",
-               .password_type = auth_type,
+               .auth_description = "Unknown Auth Description",
+               .password_type = auth_details,
                .logon_id = logon_id
        };
 
@@ -411,7 +417,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
        }
 
        switch (hdb_auth_status) {
-       case HDB_AUTHZ_SUCCESS:
+       case HDB_AUTHSTATUS_AUTHORIZATION_SUCCESS:
        {
                TALLOC_CTX *frame = talloc_stackframe();
                struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
@@ -431,10 +437,13 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
                talloc_free(frame);
                break;
        }
-       case HDB_AUTH_INVALID_SIGNATURE:
-               break;
-       case HDB_AUTH_CORRECT_PASSWORD:
-       case HDB_AUTH_WRONG_PASSWORD:
+       case HDB_AUTHSTATUS_CLIENT_LOCKED_OUT:
+       case HDB_AUTHSTATUS_CORRECT_PASSWORD:
+       case HDB_AUTHSTATUS_WRONG_PASSWORD:
+       case HDB_AUTHSTATUS_GENERIC_SUCCESS:
+       case HDB_AUTHSTATUS_GENERIC_FAILURE:
+       case HDB_AUTHSTATUS_PKINIT_SUCCESS:
+       case HDB_AUTHSTATUS_PKINIT_FAILURE:
        {
                TALLOC_CTX *frame = talloc_stackframe();
                struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
@@ -445,6 +454,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
                        = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
                const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
                struct tsocket_address *remote_host;
+               const char *auth_description = NULL;
                NTSTATUS status;
                int ret;
 
@@ -460,7 +470,19 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
                ui.mapped.account_name = account_name;
                ui.mapped.domain_name = domain_name;
 
-               if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
+               if (pa_type != NULL) {
+                       auth_description = talloc_asprintf(frame,
+                                                          "%s Pre-authentication",
+                                                          pa_type);
+                       if (auth_description == NULL) {
+                               auth_description = pa_type;
+                       }
+               } else {
+                       auth_description = "Unknown Pre-authentication";
+               }
+               ui.auth_description = auth_description;
+
+               if (hdb_auth_status == HDB_AUTHSTATUS_WRONG_PASSWORD) {
                        authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
                        status = NT_STATUS_WRONG_PASSWORD;
                        /*
@@ -471,8 +493,20 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
                        if (kdc_db_ctx->rodc) {
                                send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
                        }
-               } else {
+               } else if (hdb_auth_status == HDB_AUTHSTATUS_CLIENT_LOCKED_OUT) {
+                       status = NT_STATUS_ACCOUNT_LOCKED_OUT;
+               } else if (hdb_auth_status == HDB_AUTHSTATUS_CORRECT_PASSWORD) {
+                       status = NT_STATUS_OK;
+               } else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_SUCCESS) {
+                       status = NT_STATUS_OK;
+               } else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_FAILURE) {
+                       status = NT_STATUS_GENERIC_COMMAND_FAILED;
+               } else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_SUCCESS) {
                        status = NT_STATUS_OK;
+               } else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_FAILURE) {
+                       status = NT_STATUS_PKINIT_FAILURE;
+               } else {
+                       status = NT_STATUS_INTERNAL_ERROR;
                }
 
                log_authentication_event(kdc_db_ctx->msg_ctx,
@@ -486,7 +520,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
                TALLOC_FREE(frame);
                break;
        }
-       case HDB_AUTH_CLIENT_UNKNOWN:
+       case HDB_AUTHSTATUS_CLIENT_UNKNOWN:
        {
                struct tsocket_address *remote_host;
                int ret;
@@ -500,6 +534,12 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
                        ui.remote_host = remote_host;
                }
 
+               if (pa_type == NULL) {
+                       pa_type = "AS-REQ";
+               }
+
+               ui.auth_description = pa_type;
+
                log_authentication_event(kdc_db_ctx->msg_ctx,
                                         kdc_db_ctx->lp_ctx,
                                         start_time,
@@ -552,11 +592,11 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
        (*db)->hdb_close = hdb_samba4_close;
        (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
        (*db)->hdb_store = hdb_samba4_store;
-       (*db)->hdb_remove = hdb_samba4_remove;
        (*db)->hdb_firstkey = hdb_samba4_firstkey;
        (*db)->hdb_nextkey = hdb_samba4_nextkey;
        (*db)->hdb_lock = hdb_samba4_lock;
        (*db)->hdb_unlock = hdb_samba4_unlock;
+       (*db)->hdb_set_sync = hdb_samba4_set_sync;
        (*db)->hdb_rename = hdb_samba4_rename;
        /* we don't implement these, as we are not a lockable database */
        (*db)->hdb__get = NULL;
@@ -568,7 +608,7 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
        (*db)->hdb_auth_status = hdb_samba4_auth_status;
        (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
        (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
-       (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
+       (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
 
        return NT_STATUS_OK;
 }

diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c
index a64827d030952c0a516e5d8eeebf590fa10636b6..c6cc61ad02d7da4183115e1a1d4b731814512d1d 100644 (file)
--- a/source4/kdc/kdc-glue.c
+++ b/source4/kdc/kdc-glue.c
@@ -52,11 +52,7 @@ int kdc_check_pac(krb5_context context,
                }
        }
 
-#if HDB_ENCTYPE2KEY_TAKES_KEYSET
        ret = hdb_enctype2key(context, &ent->entry, NULL, etype, &key);
-#else
-       ret = hdb_enctype2key(context, &ent->entry, etype, &key);
-#endif
 
        if (ret != 0) {
                return ret;

diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index a9115ec23d74456faa139555937627f9f6eef0ef..17f06cf81a8072c66a52e6a262550539e607c42e 100644 (file)
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -64,12 +64,12 @@ struct SDBFlags {
        unsigned int allow_kerberos4:1;
        unsigned int allow_digest:1;
        unsigned int locked_out:1;
-       unsigned int _unused18:1;
-       unsigned int _unused19:1;
-       unsigned int _unused20:1;
-       unsigned int _unused21:1;
-       unsigned int _unused22:1;
-       unsigned int _unused23:1;
+       unsigned int require_pwchange:1;
+       unsigned int materialize:1;
+       unsigned int virtual_keys:1;
+       unsigned int virtual:1;
+       unsigned int synthetic:1;
+       unsigned int no_auth_data_reqd:1;
        unsigned int _unused24:1;
        unsigned int _unused25:1;
        unsigned int _unused26:1;

diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index 66ee763dd609ea7b0b50cce8ebec40c5c5c38a2a..4ae3f26a947a36dcf1d6d9168b68f6240e120336 100644 (file)
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -51,12 +51,12 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s,
        h->allow_kerberos4 = s->allow_kerberos4;
        h->allow_digest = s->allow_digest;
        h->locked_out = s->locked_out;
-       h->_unused18 = s->_unused18;
-       h->_unused19 = s->_unused19;
-       h->_unused20 = s->_unused20;
-       h->_unused21 = s->_unused21;
-       h->_unused22 = s->_unused22;
-       h->_unused23 = s->_unused23;
+       h->require_pwchange = s->require_pwchange;
+       h->materialize = s->materialize;
+       h->virtual_keys = s->virtual_keys;
+       h->virtual = s->virtual;
+       h->synthetic = s->synthetic;
+       h->no_auth_data_reqd = s->no_auth_data_reqd;
        h->_unused24 = s->_unused24;
        h->_unused25 = s->_unused25;
        h->_unused26 = s->_unused26;
@@ -175,7 +175,7 @@ static int sdb_event_to_Event(krb5_context context,
 
 static int sdb_entry_to_hdb_entry(krb5_context context,
                                  const struct sdb_entry *s,
-                                 struct hdb_entry *h)
+                                 hdb_entry *h)
 {
        unsigned int i;
        int rc;

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index c1e8780f5d35cb0b2e2d9ca13ea7b39a9584aaef..6a5565d511e636940a862cbdd1e67e724da84221 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -213,7 +213,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
                                return ret;
                        }
                }
-               ret = hdb_enctype2key(context, &krbtgt->entry, etype, &key);
+               ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key);
                if (ret != 0) {
                        talloc_free(mem_ctx);
                        return ret;