#include "../lib/crypto/md4.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
-#include <hdb.h>
+#include "kdc/sdb.h"
#include "kdc/samba_kdc.h"
#include "kdc/db-glue.h"
return timegm(&tm);
}
-static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type)
+static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type)
{
- HDBFlags flags = int2HDBFlags(0);
+ struct SDBFlags flags = int2SDBFlags(0);
/* we don't allow kadmin deletes */
flags.immutable = 1;
static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
{
if (p->entry_ex != NULL) {
- hdb_entry_ex *entry_ex = p->entry_ex;
- free_hdb_entry(&entry_ex->entry);
+ struct sdb_entry_ex *entry_ex = p->entry_ex;
+ free_sdb_entry(&entry_ex->entry);
}
return 0;
}
-static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
-{
- /* this function is called only from hdb_free_entry().
- * Make sure we neutralize the destructor or we will
- * get a double free later when hdb_free_entry() will
- * try to call free_hdb_entry() */
- talloc_set_destructor(entry_ex->ctx, NULL);
-
- /* now proceed to free the talloc part */
- talloc_free(entry_ex->ctx);
-}
-
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
bool is_rodc,
uint32_t userAccountControl,
enum samba_kdc_ent_type ent_type,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
krb5_error_code ret = 0;
enum ndr_err_code ndr_err;
if (kdc_db_ctx->rodc) {
/* We are on an RODC, but don't have keys for this account. Signal this to the caller */
/* TODO: We need to call a generalised version of auth_sam_trigger_repl_secret from here */
- return HDB_ERR_NOT_FOUND_HERE;
+ return SDB_ERR_NOT_FOUND_HERE;
}
/* oh, no password. Apparently (comment in
/* allocate space to decode into */
entry_ex->entry.keys.len = 0;
- entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
+ entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(struct sdb_key));
if (entry_ex->entry.keys.val == NULL) {
ret = ENOMEM;
goto out;
}
if (hash && (supported_enctypes & ENC_RC4_HMAC_MD5)) {
- Key key;
-
- key.mkvno = 0;
- key.salt = NULL; /* No salt for this enc type */
+ struct sdb_key key = {};
ret = smb_krb5_keyblock_init_contents(context,
ENCTYPE_ARCFOUR_HMAC,
if (pkb4) {
for (i=0; i < pkb4->num_keys; i++) {
- Key key;
+ struct sdb_key key = {};
if (!pkb4->keys[i].value) continue;
continue;
}
- key.mkvno = 0;
- key.salt = NULL;
-
if (pkb4->salt.string) {
DATA_BLOB salt;
}
if (ret) {
if (key.salt) {
- free_Salt(key.salt);
+ kerberos_free_data_contents(context, &key.salt->salt);
free(key.salt);
key.salt = NULL;
}
}
} else if (pkb3) {
for (i=0; i < pkb3->num_keys; i++) {
- Key key;
+ struct sdb_key key = {};
if (!pkb3->keys[i].value) continue;
continue;
}
- key.mkvno = 0;
- key.salt = NULL;
-
if (pkb3->salt.string) {
DATA_BLOB salt;
&key.key);
if (ret) {
if (key.salt) {
- free_Salt(key.salt);
+ kerberos_free_data_contents(context, &key.salt->salt);
free(key.salt);
key.salt = NULL;
}
unsigned flags,
struct ldb_dn *realm_dn,
struct ldb_message *msg,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
uint32_t userAccountControl;
}
p->kdc_db_ctx = kdc_db_ctx;
- p->entry_ex = entry_ex;
p->realm_dn = talloc_reference(p, realm_dn);
if (!p->realm_dn) {
ret = ENOMEM;
talloc_set_destructor(p, samba_kdc_entry_destructor);
- /* make sure we do not have bogus data in there */
- memset(&entry_ex->entry, 0, sizeof(hdb_entry));
-
entry_ex->ctx = p;
- entry_ex->free_entry = samba_kdc_free_entry;
userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
*/
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
- if (flags & (HDB_F_CANON)) {
+ if (flags & (SDB_F_CANON)) {
/*
* When requested to do so, ensure that the
* both realm values in the principal are set
krb5_clear_error_message(context);
goto out;
}
- } else if (flags & HDB_F_CANON && flags & HDB_F_FOR_AS_REQ) {
+ } else if (flags & SDB_F_CANON && flags & SDB_F_FOR_AS_REQ) {
/*
- * HDB_F_CANON maps from the canonicalize flag in the
+ * SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
*/
}
/* First try and figure out the flags based on the userAccountControl */
- entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type);
+ entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type);
/* Windows 2008 seems to enforce this (very sensible) rule by
* default - don't allow offline attacks on a user's password
* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
*/
if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER && entry_ex->entry.flags.server == 0) {
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
krb5_set_error_message(context, ret, "samba_kdc_message2entry: no servicePrincipalName present for this server, refusing with no-such-entry");
goto out;
}
- if (flags & HDB_F_ADMIN_DATA) {
+ if (flags & SDB_F_ADMIN_DATA) {
/* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
* of the Heimdal KDC. They are stored in a the traditional
* DB for audit purposes, and still form part of the structure
goto out;
}
- entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
+ entry_ex->entry.modified_by = (struct sdb_event *) malloc(sizeof(struct sdb_event));
if (entry_ex->entry.modified_by == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
out:
if (ret != 0) {
/* This doesn't free ent itself, that is for the eventual caller to do */
- hdb_free_entry(context, entry_ex);
+ sdb_free_entry(entry_ex);
ZERO_STRUCTP(entry_ex);
} else {
talloc_steal(kdc_db_ctx, entry_ex->ctx);
unsigned flags,
uint32_t kvno,
struct ldb_message *msg,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
const char *our_realm = lpcfg_realm(lp_ctx);
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
if (!(trust_direction_flags & direction)) {
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
if (dnsdomain == NULL) {
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
partner_realm = strupper_talloc(mem_ctx, dnsdomain);
if (password_val == NULL) {
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
}
p->kdc_db_ctx = kdc_db_ctx;
- p->entry_ex = entry_ex;
p->realm_dn = realm_dn;
talloc_set_destructor(p, samba_kdc_entry_destructor);
/* make sure we do not have bogus data in there */
- memset(&entry_ex->entry, 0, sizeof(hdb_entry));
+ memset(&entry_ex->entry, 0, sizeof(struct sdb_entry));
entry_ex->ctx = p;
- entry_ex->free_entry = samba_kdc_free_entry;
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
if (password_blob.previous.count == 0) {
/* there is no previous password */
use_previous = false;
- } else if (!(flags & HDB_F_KVNO_SPECIFIED)) {
+ } else if (!(flags & SDB_F_KVNO_SPECIFIED)) {
/*
* If not specified we use the lowest kvno
* for the first hour after an update.
}
/* use the kvno the client specified, if available */
- if (flags & HDB_F_KVNO_SPECIFIED) {
+ if (flags & SDB_F_KVNO_SPECIFIED) {
entry_ex->entry.kvno = kvno;
} else {
entry_ex->entry.kvno = *auth_kvno;
if (num_keys == 0) {
DEBUG(1,(__location__ ": no usable key found\n"));
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
- entry_ex->entry.keys.val = calloc(num_keys, sizeof(Key));
+ entry_ex->entry.keys.val = calloc(num_keys, sizeof(struct sdb_key));
if (entry_ex->entry.keys.val == NULL) {
krb5_clear_error_message(context);
ret = ENOMEM;
}
if (password_utf8.length != 0) {
- Key key = {};
+ struct sdb_key key = {};
krb5_const_principal salt_principal = entry_ex->entry.principal;
krb5_data salt;
krb5_data cleartext_data;
}
if (password_hash != NULL) {
- Key key = {};
+ struct sdb_key key = {};
ret = smb_krb5_keyblock_init_contents(context,
ENCTYPE_ARCFOUR_HMAC,
entry_ex->entry.keys.len++;
}
- entry_ex->entry.flags = int2HDBFlags(0);
+ entry_ex->entry.flags = int2SDBFlags(0);
entry_ex->entry.flags.immutable = 1;
entry_ex->entry.flags.invalid = 0;
entry_ex->entry.flags.server = 1;
if (ret != 0) {
/* This doesn't free ent itself, that is for the eventual caller to do */
- hdb_free_entry(context, entry_ex);
+ sdb_free_entry(entry_ex);
} else {
talloc_steal(kdc_db_ctx, entry_ex->ctx);
}
if (NT_STATUS_IS_OK(status)) {
return 0;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
int ret = ENOMEM;
krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
TALLOC_FREE(principal_string);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
return ENOMEM;
} else if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
unsigned flags,
- hdb_entry_ex *entry_ex) {
+ struct sdb_entry_ex *entry_ex) {
struct ldb_dn *realm_dn;
krb5_error_code ret;
struct ldb_message *msg = NULL;
krb5_const_principal principal,
unsigned flags,
uint32_t kvno,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
krb5_error_code ret;
realm_from_princ_malloc = smb_krb5_principal_get_realm(context, principal);
if (realm_from_princ_malloc == NULL) {
/* can't happen */
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
realm_from_princ = talloc_strdup(mem_ctx, realm_from_princ_malloc);
free(realm_from_princ_malloc);
if (realm_from_princ == NULL) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
if (krb5_princ_size(context, principal) != 2
|| (principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME) != 0)) {
/* Not a krbtgt */
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
/* krbtgt case. Either us or a trusted realm */
/* w2k8r2 sometimes gives us a kvno of 255 for inter-domain
trust tickets. We don't yet know what this means, but we do
seem to need to treat it as unspecified */
- if (flags & HDB_F_KVNO_SPECIFIED) {
+ if (flags & SDB_F_KVNO_SPECIFIED) {
krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno);
if (kdc_db_ctx->rodc) {
if (krbtgt_number != kdc_db_ctx->my_krbtgt_number) {
- return HDB_ERR_NOT_FOUND_HERE;
+ return SDB_ERR_NOT_FOUND_HERE;
}
}
} else {
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
(unsigned)(krbtgt_number));
- krb5_set_error_message(context, HDB_ERR_NOENTRY,
+ krb5_set_error_message(context, SDB_ERR_NOENTRY,
"samba_kdc_fetch: could not find KRBTGT number %u in DB!",
(unsigned)(krbtgt_number));
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
} else if (lret != LDB_SUCCESS) {
krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
(unsigned)(krbtgt_number));
- krb5_set_error_message(context, HDB_ERR_NOENTRY,
+ krb5_set_error_message(context, SDB_ERR_NOENTRY,
"samba_kdc_fetch: could not find KRBTGT number %u in DB!",
(unsigned)(krbtgt_number));
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
krb5_warnx(context, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
realm_from_princ,
realm_princ_comp);
- krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
+ krb5_set_error_message(context, SDB_ERR_NOENTRY, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
realm_from_princ,
realm_princ_comp);
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
/* Trusted domains are under CN=system */
free(principal_string);
if (!NT_STATUS_IS_OK(nt_status)) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
ldb_ret = dsdb_search_one(kdc_db_ctx->samdb,
DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(objectClass=*)");
if (ldb_ret != LDB_SUCCESS) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
return 0;
- } else if (!(flags & HDB_F_FOR_AS_REQ)
+ } else if (!(flags & SDB_F_FOR_AS_REQ)
&& smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
/*
* The behaviour of accepting an
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
DEBUG(10, ("Failed to find an entry for %s filter:%s\n",
name1, filter));
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
if (lret == LDB_ERR_CONSTRAINT_VIOLATION) {
DEBUG(10, ("Failed to find unique entry for %s filter:%s\n",
name1, filter));
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
if (lret != LDB_SUCCESS) {
DEBUG(0, ("Failed single search for %s - %s\n",
name1, ldb_errstring(kdc_db_ctx->samdb)));
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
return 0;
}
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
unsigned flags,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
krb5_error_code ret;
struct ldb_dn *realm_dn;
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
unsigned flags,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
num_comp = krb5_princ_size(context, principal);
- if (flags & HDB_F_GET_CLIENT) {
- if (flags & HDB_F_FOR_AS_REQ) {
+ if (flags & SDB_F_GET_CLIENT) {
+ if (flags & SDB_F_FOR_AS_REQ) {
check_realm = true;
}
}
- if (flags & HDB_F_GET_SERVER) {
- if (flags & HDB_F_FOR_TGS_REQ) {
+ if (flags & SDB_F_GET_SERVER) {
+ if (flags & SDB_F_FOR_TGS_REQ) {
check_realm = true;
}
}
*/
SAFE_FREE(_realm);
TALLOC_FREE(frame);
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
realm = talloc_strdup(frame, _realm);
if (num_comp != 1) {
TALLOC_FREE(frame);
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
principal_string = smb_krb5_principal_get_comp_string(frame, context,
}
}
- if (flags & HDB_F_GET_SERVER) {
+ if (flags & SDB_F_GET_SERVER) {
char *service_realm = NULL;
ret = principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME);
}
TALLOC_FREE(frame);
- return HDB_ERR_WRONG_REALM;
+ return SDB_ERR_WRONG_REALM;
}
krb5_error_code samba_kdc_fetch(krb5_context context,
krb5_const_principal principal,
unsigned flags,
krb5_kvno kvno,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
- krb5_error_code ret = HDB_ERR_NOENTRY;
+ krb5_error_code ret = SDB_ERR_NOENTRY;
TALLOC_CTX *mem_ctx;
mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
goto done;
}
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
- if (flags & HDB_F_GET_CLIENT) {
+ if (flags & SDB_F_GET_CLIENT) {
ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
- if (ret != HDB_ERR_NOENTRY) goto done;
+ if (ret != SDB_ERR_NOENTRY) goto done;
}
- if (flags & HDB_F_GET_SERVER) {
+ if (flags & SDB_F_GET_SERVER) {
/* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry_ex);
- if (ret != HDB_ERR_NOENTRY) goto done;
+ if (ret != SDB_ERR_NOENTRY) goto done;
/* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
- if (ret != HDB_ERR_NOENTRY) goto done;
+ if (ret != SDB_ERR_NOENTRY) goto done;
}
- if (flags & HDB_F_GET_KRBTGT) {
+ if (flags & SDB_F_GET_KRBTGT) {
ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry_ex);
- if (ret != HDB_ERR_NOENTRY) goto done;
+ if (ret != SDB_ERR_NOENTRY) goto done;
}
done:
static krb5_error_code samba_kdc_seq(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry)
+ struct sdb_entry_ex *entry)
{
krb5_error_code ret;
struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
TALLOC_CTX *mem_ctx;
if (!priv) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
mem_ctx = talloc_named(priv, 0, "samba_kdc_seq context");
}
if (sAMAccountName == NULL) {
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
principal, SAMBA_KDC_ENT_TYPE_ANY,
- HDB_F_ADMIN_DATA|HDB_F_GET_ANY,
+ SDB_F_ADMIN_DATA|SDB_F_GET_ANY,
priv->realm_dn, msg, entry);
out:
krb5_error_code samba_kdc_firstkey(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry)
+ struct sdb_entry_ex *entry)
{
struct ldb_context *ldb_ctx = kdc_db_ctx->samdb;
struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
if (lret != LDB_SUCCESS) {
TALLOC_FREE(priv);
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
priv->count = res->count;
krb5_error_code samba_kdc_nextkey(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry)
+ struct sdb_entry_ex *entry)
{
return samba_kdc_seq(context, kdc_db_ctx, entry);
}
}
ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
- HDB_F_GET_CLIENT|HDB_F_GET_SERVER,
+ SDB_F_GET_CLIENT|SDB_F_GET_SERVER,
delegation_check_attrs, &realm_dn, &msg);
if (ret != 0) {
git.samba.org / samba.git / commitdiff