source4/kdc/kpasswdd.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    kpasswd Server implementation
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7    Copyright (C) Andrew Tridgell        2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "smbd/service_task.h"
  26 #include "lib/events/events.h"
  27 #include "lib/socket/socket.h"
  28 #include "kdc/kdc.h"
  29 #include "system/network.h"
  30 #include "lib/util/dlinklist.h"
  31 #include "lib/ldb/include/ldb.h"
  32 #include "heimdal/lib/krb5/krb5_locl.h"
  33 #include "heimdal/lib/krb5/krb5-private.h"
  34 #include "auth/auth.h"
  35 #include "dsdb/samdb/samdb.h"
  36 #include "rpc_server/dcerpc_server.h"
  37 #include "rpc_server/samr/proto.h"
  38 #include "libcli/security/security.h"
  39
  40 /* hold information about one kdc socket */
  41 struct kpasswd_socket {
  42         struct socket_context *sock;
  43         struct kdc_server *kdc;
  44         struct fd_event *fde;
  45
  46         /* a queue of outgoing replies that have been deferred */
  47         struct kdc_reply *send_queue;
  48 };
  49
  50 /* Return true if there is a valid error packet formed in the error_blob */
  51 static BOOL kpasswdd_make_error_reply(struct kdc_server *kdc,
  52                                      TALLOC_CTX *mem_ctx,
  53                                      uint16_t result_code,
  54                                      const char *error_string,
  55                                      DATA_BLOB *error_blob)
  56 {
  57         char *error_string_utf8;
  58         ssize_t len;
  59
  60         DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
  61
  62         len = push_utf8_talloc(mem_ctx, &error_string_utf8, error_string);
  63         if (len == -1) {
  64                 return False;
  65         }
  66
  67         *error_blob = data_blob_talloc(mem_ctx, NULL, 2 + len + 1);
  68         if (!error_blob->data) {
  69                 return False;
  70         }
  71         RSSVAL(error_blob->data, 0, result_code);
  72         memcpy(error_blob->data + 2, error_string_utf8, len + 1);
  73         return True;
  74 }
  75
  76 /* Return true if there is a valid error packet formed in the error_blob */
  77 static BOOL kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
  78                                             TALLOC_CTX *mem_ctx,
  79                                             uint16_t result_code,
  80                                             const char *error_string,
  81                                             DATA_BLOB *error_blob)
  82 {
  83         BOOL ret;
  84         int kret;
  85         DATA_BLOB error_bytes;
  86         krb5_data k5_error_bytes, k5_error_blob;
  87         ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
  88                                        &error_bytes);
  89         if (!ret) {
  90                 return False;
  91         }
  92         k5_error_bytes.data = error_bytes.data;
  93         k5_error_bytes.length = error_bytes.length;
  94         kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
  95                              result_code, NULL, &k5_error_bytes,
  96                              NULL, NULL, NULL, NULL, &k5_error_blob);
  97         if (kret) {
  98                 return False;
  99         }
 100         *error_blob = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
 101         krb5_data_free(&k5_error_blob);
 102         if (!error_blob->data) {
 103                 return False;
 104         }
 105         return True;
 106 }
 107
 108 static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
 109                                         TALLOC_CTX *mem_ctx,
 110                                         NTSTATUS status,
 111                                         enum samr_RejectReason reject_reason,
 112                                         struct samr_DomInfo1 *dominfo,
 113                                         DATA_BLOB *error_blob)
 114 {
 115         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
 116                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 117                                                 KRB5_KPASSWD_ACCESSDENIED,
 118                                                 "No such user when changing password",
 119                                                 error_blob);
 120         }
 121         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 122                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 123                                                 KRB5_KPASSWD_ACCESSDENIED,
 124                                                 "Not permitted to change password",
 125                                                 error_blob);
 126         }
 127         if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
 128                 const char *reject_string;
 129                 switch (reject_reason) {
 130                 case SAMR_REJECT_TOO_SHORT:
 131                         reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long",
 132                                                         dominfo->min_password_length);
 133                         break;
 134                 case SAMR_REJECT_COMPLEXITY:
 135                         reject_string = "Password does not meet complexity requirements";
 136                         break;
 137                 case SAMR_REJECT_OTHER:
 138                 default:
 139                         reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",
 140                                                         dominfo->min_password_length, dominfo->password_history_length);
 141                         break;
 142                 }
 143                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 144                                                 KRB5_KPASSWD_SOFTERROR,
 145                                                 reject_string,
 146                                                 error_blob);
 147         }
 148         if (!NT_STATUS_IS_OK(status)) {
 149                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 150                                                  KRB5_KPASSWD_HARDERROR,
 151                                                  talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)),
 152                                                  error_blob);
 153
 154         }
 155         return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SUCCESS,
 156                                         "Password changed",
 157                                         error_blob);
 158 }
 159
 160 /*
 161    A user password change
 162
 163    Return true if there is a valid error packet (or sucess) formed in
 164    the error_blob
 165 */
 166 static BOOL kpasswdd_change_password(struct kdc_server *kdc,
 167                                      TALLOC_CTX *mem_ctx,
 168                                      struct auth_session_info *session_info,
 169                                      const char *password,
 170                                      DATA_BLOB *reply)
 171 {
 172         NTSTATUS status;
 173         enum samr_RejectReason reject_reason;
 174         struct samr_DomInfo1 *dominfo;
 175         struct ldb_context *samdb;
 176
 177         samdb = samdb_connect(mem_ctx, system_session(mem_ctx));
 178         if (!samdb) {
 179                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 180                                                 KRB5_KPASSWD_HARDERROR,
 181                                                 "Failed to open samdb",
 182                                                 reply);
 183         }
 184
 185         DEBUG(3, ("Changing password of %s\\%s (%s)\n",
 186                   session_info->server_info->domain_name,
 187                   session_info->server_info->account_name,
 188                   dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
 189
 190         /* User password change */
 191         status = samdb_set_password_sid(samdb, mem_ctx,
 192                                         session_info->security_token->user_sid,
 193                                         password, NULL, NULL,
 194                                         True, /* this is a user password change */
 195                                         True, /* run restriction tests */
 196                                         &reject_reason,
 197                                         &dominfo);
 198         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 199                                            status,
 200                                            reject_reason,
 201                                            dominfo,
 202                                            reply);
 203
 204 }
 205
 206 static BOOL kpasswd_process_request(struct kdc_server *kdc,
 207                                     TALLOC_CTX *mem_ctx,
 208                                     struct gensec_security *gensec_security,
 209                                     uint16_t version,
 210                                     DATA_BLOB *input,
 211                                     DATA_BLOB *reply)
 212 {
 213         struct auth_session_info *session_info;
 214         if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
 215                                                  &session_info))) {
 216                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 217                                                 KRB5_KPASSWD_HARDERROR,
 218                                                 "gensec_session_info failed!",
 219                                                 reply);
 220         }
 221
 222         switch (version) {
 223         case KRB5_KPASSWD_VERS_CHANGEPW:
 224         {
 225                 char *password = talloc_strndup(mem_ctx, (const char *)input->data, input->length);
 226                 if (!password) {
 227                         return False;
 228                 }
 229                 return kpasswdd_change_password(kdc, mem_ctx, session_info,
 230                                                 password, reply);
 231                 break;
 232         }
 233         case KRB5_KPASSWD_VERS_SETPW:
 234         {
 235                 NTSTATUS status;
 236                 enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER;
 237                 struct samr_DomInfo1 *dominfo = NULL;
 238                 struct ldb_context *samdb;
 239                 struct ldb_message *msg;
 240                 krb5_context context = kdc->smb_krb5_context->krb5_context;
 241
 242                 ChangePasswdDataMS chpw;
 243                 char *password;
 244
 245                 krb5_principal principal;
 246                 char *set_password_on_princ;
 247                 struct ldb_dn *set_password_on_dn;
 248
 249                 size_t len;
 250                 int ret;
 251
 252                 msg = ldb_msg_new(mem_ctx);
 253                 if (!msg) {
 254                         return False;
 255                 }
 256
 257                 ret = decode_ChangePasswdDataMS(input->data, input->length,
 258                                                 &chpw, &len);
 259                 if (ret) {
 260                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 261                                                         KRB5_KPASSWD_MALFORMED,
 262                                                         "failed to decode password change structure",
 263                                                         reply);
 264                 }
 265
 266                 password = talloc_strndup(mem_ctx, chpw.newpasswd.data,
 267                                           chpw.newpasswd.length);
 268                 if (!password) {
 269                         free_ChangePasswdDataMS(&chpw);
 270                         return False;
 271                 }
 272                 if ((chpw.targname && !chpw.targrealm)
 273                     || (!chpw.targname && chpw.targrealm)) {
 274                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 275                                                         KRB5_KPASSWD_MALFORMED,
 276                                                         "Realm and principal must be both present, or neither present",
 277                                                         reply);
 278                 }
 279                 if (chpw.targname && chpw.targrealm) {
 280                         if (_krb5_principalname2krb5_principal(&principal, *chpw.targname,
 281                                                                *chpw.targrealm) != 0) {
 282                                 free_ChangePasswdDataMS(&chpw);
 283                                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 284                                                                 KRB5_KPASSWD_MALFORMED,
 285                                                                 "failed to extract principal to set",
 286                                                                 reply);
 287
 288                         }
 289                 } else {
 290                         free_ChangePasswdDataMS(&chpw);
 291                         return kpasswdd_change_password(kdc, mem_ctx, session_info,
 292                                                         password, reply);
 293                 }
 294                 free_ChangePasswdDataMS(&chpw);
 295
 296                 if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
 297                         krb5_free_principal(context, principal);
 298                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 299                                                         KRB5_KPASSWD_MALFORMED,
 300                                                         "krb5_unparse_name failed!",
 301                                                         reply);
 302                 }
 303
 304                 krb5_free_principal(context, principal);
 305
 306                 samdb = samdb_connect(mem_ctx, session_info);
 307                 if (!samdb) {
 308                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 309                                                          KRB5_KPASSWD_HARDERROR,
 310                                                          "Unable to open database!",
 311                                                          reply);
 312                 }
 313
 314                 DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
 315                           session_info->server_info->domain_name,
 316                           session_info->server_info->account_name,
 317                           dom_sid_string(mem_ctx, session_info->security_token->user_sid),
 318                           set_password_on_princ));
 319                 ret = ldb_transaction_start(samdb);
 320                 if (ret) {
 321                         status = NT_STATUS_TRANSACTION_ABORTED;
 322                         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 323                                                            status,
 324                                                            SAMR_REJECT_OTHER,
 325                                                            NULL,
 326                                                            reply);
 327                 }
 328
 329                 status = crack_user_principal_name(samdb, mem_ctx,
 330                                                    set_password_on_princ,
 331                                                    &set_password_on_dn, NULL);
 332                 free(set_password_on_princ);
 333                 if (!NT_STATUS_IS_OK(status)) {
 334                         ldb_transaction_cancel(samdb);
 335                         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 336                                                            status,
 337                                                            SAMR_REJECT_OTHER,
 338                                                            NULL,
 339                                                            reply);
 340                 }
 341
 342                 msg = ldb_msg_new(mem_ctx);
 343                 if (msg == NULL) {
 344                         ldb_transaction_cancel(samdb);
 345                         status = NT_STATUS_NO_MEMORY;
 346                 } else {
 347                         msg->dn = ldb_dn_copy(msg, set_password_on_dn);
 348                         if (!msg->dn) {
 349                                 status = NT_STATUS_NO_MEMORY;
 350                         }
 351                 }
 352
 353                 if (NT_STATUS_IS_OK(status)) {
 354                         /* Admin password set */
 355                         status = samdb_set_password(samdb, mem_ctx,
 356                                                     set_password_on_dn, NULL,
 357                                                     msg, password, NULL, NULL,
 358                                                     False, /* this is not a user password change */
 359                                                     True, /* run restriction tests */
 360                                                     &reject_reason, &dominfo);
 361                 }
 362
 363                 if (NT_STATUS_IS_OK(status)) {
 364                         /* modify the samdb record */
 365                         ret = samdb_replace(samdb, mem_ctx, msg);
 366                         if (ret != 0) {
 367                                 DEBUG(2,("Failed to modify record to set password on %s: %s\n",
 368                                          ldb_dn_linearize(mem_ctx, msg->dn),
 369                                          ldb_errstring(samdb)));
 370                                 status = NT_STATUS_ACCESS_DENIED;
 371                         }
 372                 }
 373                 if (NT_STATUS_IS_OK(status)) {
 374                         ret = ldb_transaction_commit(samdb);
 375                         if (ret != 0) {
 376                                 DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
 377                                          ldb_dn_linearize(mem_ctx, msg->dn),
 378                                          ldb_errstring(samdb)));
 379                                 status = NT_STATUS_TRANSACTION_ABORTED;
 380                         }
 381                 } else {
 382                         ldb_transaction_cancel(samdb);
 383                 }
 384                 return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 385                                                    status,
 386                                                    reject_reason,
 387                                                    dominfo,
 388                                                    reply);
 389         }
 390         default:
 391                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 392                                                  KRB5_KPASSWD_BAD_VERSION,
 393                                                  talloc_asprintf(mem_ctx,
 394                                                                  "Protocol version %u not supported",
 395                                                                  version),
 396                                                  reply);
 397         }
 398         return True;
 399 }
 400
 401 BOOL kpasswdd_process(struct kdc_server *kdc,
 402                       TALLOC_CTX *mem_ctx,
 403                       DATA_BLOB *input,
 404                       DATA_BLOB *reply,
 405                       struct socket_address *peer_addr,
 406                       struct socket_address *my_addr)
 407 {
 408         BOOL ret;
 409         const uint16_t header_len = 6;
 410         uint16_t len;
 411         uint16_t ap_req_len;
 412         uint16_t krb_priv_len;
 413         uint16_t version;
 414         NTSTATUS nt_status;
 415         DATA_BLOB ap_req, krb_priv_req;
 416         DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
 417         DATA_BLOB ap_rep = data_blob(NULL, 0);
 418         DATA_BLOB kpasswd_req, kpasswd_rep;
 419         struct cli_credentials *server_credentials;
 420         struct gensec_security *gensec_security;
 421         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 422
 423         if (!tmp_ctx) {
 424                 return False;
 425         }
 426
 427         /* Be parinoid.  We need to ensure we don't just let the
 428          * caller lead us into a buffer overflow */
 429         if (input->length <= header_len) {
 430                 talloc_free(tmp_ctx);
 431                 return False;
 432         }
 433
 434         len = RSVAL(input->data, 0);
 435         if (input->length != len) {
 436                 talloc_free(tmp_ctx);
 437                 return False;
 438         }
 439
 440         /* There are two different versions of this protocol so far,
 441          * plus others in the standards pipe.  Fortunetly they all
 442          * take a very similar framing */
 443         version = RSVAL(input->data, 2);
 444         ap_req_len = RSVAL(input->data, 4);
 445         if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
 446                 talloc_free(tmp_ctx);
 447                 return False;
 448         }
 449
 450         krb_priv_len = len - ap_req_len;
 451         ap_req = data_blob_const(&input->data[header_len], ap_req_len);
 452         krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
 453
 454         nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, kdc->task->msg_ctx, &gensec_security);
 455         if (!NT_STATUS_IS_OK(nt_status)) {
 456                 talloc_free(tmp_ctx);
 457                 return False;
 458         }
 459
 460         server_credentials = cli_credentials_init(tmp_ctx);
 461         if (!server_credentials) {
 462                 DEBUG(1, ("Failed to init server credentials\n"));
 463                 return False;
 464         }
 465
 466         /* We want the credentials subsystem to use the krb5 context
 467          * we already have, rather than a new context */
 468         cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
 469         cli_credentials_set_conf(server_credentials);
 470         nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
 471         if (!NT_STATUS_IS_OK(nt_status)) {
 472                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 473                                                        KRB5_KPASSWD_HARDERROR,
 474                                                        talloc_asprintf(mem_ctx,
 475                                                                        "Failed to obtain server credentials for kadmin/changepw: %s\n",
 476                                                                        nt_errstr(nt_status)),
 477                                                        &krb_priv_rep);
 478                 ap_rep.length = 0;
 479                 if (ret) {
 480                         goto reply;
 481                 }
 482                 talloc_free(tmp_ctx);
 483                 return ret;
 484         }
 485
 486         nt_status = gensec_set_credentials(gensec_security, server_credentials);
 487         if (!NT_STATUS_IS_OK(nt_status)) {
 488                 talloc_free(tmp_ctx);
 489                 return False;
 490         }
 491
 492         /* The kerberos PRIV packets include these addresses.  MIT
 493          * clients check that they are present */
 494         nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
 495         if (!NT_STATUS_IS_OK(nt_status)) {
 496                 talloc_free(tmp_ctx);
 497                 return False;
 498         }
 499         nt_status = gensec_set_my_addr(gensec_security, my_addr);
 500         if (!NT_STATUS_IS_OK(nt_status)) {
 501                 talloc_free(tmp_ctx);
 502                 return False;
 503         }
 504
 505         /* We want the GENSEC wrap calls to generate PRIV tokens */
 506         gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
 507
 508         nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
 509         if (!NT_STATUS_IS_OK(nt_status)) {
 510                 talloc_free(tmp_ctx);
 511                 return False;
 512         }
 513
 514         /* Accept the AP-REQ and generate teh AP-REP we need for the reply */
 515         nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
 516         if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 517
 518                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 519                                                        KRB5_KPASSWD_HARDERROR,
 520                                                        talloc_asprintf(mem_ctx,
 521                                                                        "gensec_update failed: %s",
 522                                                                        nt_errstr(nt_status)),
 523                                                        &krb_priv_rep);
 524                 ap_rep.length = 0;
 525                 if (ret) {
 526                         goto reply;
 527                 }
 528                 talloc_free(tmp_ctx);
 529                 return ret;
 530         }
 531
 532         /* Extract the data from the KRB-PRIV half of the message */
 533         nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
 534         if (!NT_STATUS_IS_OK(nt_status)) {
 535                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 536                                                        KRB5_KPASSWD_HARDERROR,
 537                                                        talloc_asprintf(mem_ctx,
 538                                                                        "gensec_unwrap failed: %s",
 539                                                                        nt_errstr(nt_status)),
 540                                                        &krb_priv_rep);
 541                 ap_rep.length = 0;
 542                 if (ret) {
 543                         goto reply;
 544                 }
 545                 talloc_free(tmp_ctx);
 546                 return ret;
 547         }
 548
 549         /* Figure out something to do with it (probably changing a password...) */
 550         ret = kpasswd_process_request(kdc, tmp_ctx,
 551                                       gensec_security,
 552                                       version,
 553                                       &kpasswd_req, &kpasswd_rep);
 554         if (!ret) {
 555                 /* Argh! */
 556                 return False;
 557         }
 558
 559         /* And wrap up the reply: This ensures that the error message
 560          * or success can be verified by the client */
 561         nt_status = gensec_wrap(gensec_security, tmp_ctx,
 562                                 &kpasswd_rep, &krb_priv_rep);
 563         if (!NT_STATUS_IS_OK(nt_status)) {
 564                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 565                                                        KRB5_KPASSWD_HARDERROR,
 566                                                        talloc_asprintf(mem_ctx,
 567                                                                        "gensec_wrap failed: %s",
 568                                                                        nt_errstr(nt_status)),
 569                                                        &krb_priv_rep);
 570                 ap_rep.length = 0;
 571                 if (ret) {
 572                         goto reply;
 573                 }
 574                 talloc_free(tmp_ctx);
 575                 return ret;
 576         }
 577
 578 reply:
 579         *reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
 580         if (!reply->data) {
 581                 return False;
 582         }
 583
 584         RSSVAL(reply->data, 0, reply->length);
 585         RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */
 586         RSSVAL(reply->data, 4, ap_rep.length);
 587         memcpy(reply->data + header_len,
 588                ap_rep.data,
 589                ap_rep.length);
 590         memcpy(reply->data + header_len + ap_rep.length,
 591                krb_priv_rep.data,
 592                krb_priv_rep.length);
 593
 594         talloc_free(tmp_ctx);
 595         return ret;
 596 }
 597