Move kdc_get_policy helper in the lsa server where it belongs.

[idra/samba.git] / source4 / rpc_server / lsa / dcesrv_lsa.c

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index de95b4a7fa8f47f9d57e99a5e85e21e0e38ded67..2ecd144bfbe0aa8257907ac533bb6f003ce8f2ef 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -31,7 +31,6 @@
 #include "lib/util/tsort.h"
 #include "dsdb/common/util.h"
 #include "libcli/security/session.h"
-#include "kdc/kdc-policy.h"
 #include "libcli/lsarpc/util_lsarpc.h"
 
 /*
@@ -3691,6 +3690,31 @@ static NTSTATUS dcesrv_lsa_SetInfoPolicy2(struct dcesrv_call_state *dce_call,
        DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
 }
 
+static void kdc_get_policy(struct loadparm_context *lp_ctx,
+                          struct smb_krb5_context *smb_krb5_context,
+                          struct lsa_DomainInfoKerberos *k)
+{
+       time_t svc_tkt_lifetime;
+       time_t usr_tkt_lifetime;
+       time_t renewal_lifetime;
+
+       /* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+       /* Our KDC always re-validates the client */
+       k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+       lpcfg_default_kdc_policy(lp_ctx, &svc_tkt_lifetime,
+                                &usr_tkt_lifetime, &renewal_lifetime);
+
+       unix_to_nt_time(&k->service_tkt_lifetime, svc_tkt_lifetime);
+       unix_to_nt_time(&k->user_tkt_lifetime, usr_tkt_lifetime);
+       unix_to_nt_time(&k->user_tkt_renewaltime, renewal_lifetime);
+       if (smb_krb5_context) {
+               unix_to_nt_time(&k->clock_skew, 
+                               krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+       }
+       k->reserved = 0;
+}
 /*
   lsa_QueryDomainInformationPolicy
 */