#include "system/network.h"
#include "dlinklist.h"
#include "lib/ldb/include/ldb.h"
+#include "heimdal/lib/krb5/krb5_locl.h"
#include "heimdal/lib/krb5/krb5-private.h"
#include "auth/auth.h"
#include "dsdb/samdb/samdb.h"
+#include "rpc_server/dcerpc_server.h"
+#include "rpc_server/samr/proto.h"
+#include "libcli/security/security.h"
/* hold information about one kdc socket */
struct kpasswd_socket {
"Not permitted to change password",
error_blob);
}
- if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+ if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
const char *reject_string;
switch (reject_reason) {
case SAMR_REJECT_TOO_SHORT:
DATA_BLOB *reply)
{
struct auth_session_info *session_info;
- if (!msg) {
- return False;
- }
-
if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
&session_info))) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
case KRB5_KPASSWD_VERS_SETPW:
{
NTSTATUS status;
- enum samr_RejectReason reject_reason;
- struct samr_DomInfo1 *dominfo;
+ enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER;
+ struct samr_DomInfo1 *dominfo = NULL;
struct ldb_context *samdb;
- struct ldb_message *msg = ldb_msg_new(mem_ctx);
+ struct ldb_message *msg;
krb5_context context = kdc->smb_krb5_context->krb5_context;
ChangePasswdDataMS chpw;
size_t len;
int ret;
+ msg = ldb_msg_new(mem_ctx);
+ if (!msg) {
+ return False;
+ }
+
ret = decode_ChangePasswdDataMS(input->data, input->length,
&chpw, &len);
if (ret) {
status = NT_STATUS_TRANSACTION_ABORTED;
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
- reject_reason,
- dominfo,
+ SAMR_REJECT_OTHER,
+ NULL,
reply);
}
ldb_transaction_cancel(samdb);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
- reject_reason,
- dominfo,
+ SAMR_REJECT_OTHER,
+ NULL,
reply);
}
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
- const char *peer_addr,
- int peer_port,
- const char *my_addr,
- int my_port)
+ struct socket_address *peer_addr,
+ struct socket_address *my_addr)
{
BOOL ret;
const uint16_t header_len = 6;
uint16_t krb_priv_len;
uint16_t version;
NTSTATUS nt_status;
- DATA_BLOB ap_req, krb_priv_req, krb_priv_rep, ap_rep;
+ DATA_BLOB ap_req, krb_priv_req;
+ DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
+ DATA_BLOB ap_rep = data_blob(NULL, 0);
DATA_BLOB kpasswd_req, kpasswd_rep;
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
DEBUG(1, ("Failed to init server credentials\n"));
return False;
}
-
+
+ /* We want the credentials subsystem to use the krb5 context
+ * we already have, rather than a new context */
+ cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials);
nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
if (!NT_STATUS_IS_OK(nt_status)) {
/* The kerberos PRIV packets include these addresses. MIT
* clients check that they are present */
- nt_status = gensec_set_peer_addr(gensec_security, peer_addr, peer_port);
+ nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return False;
}
- nt_status = gensec_set_my_addr(gensec_security, my_addr, my_port);
+ nt_status = gensec_set_my_addr(gensec_security, my_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return False;