[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Jul 30 11:30:04 UTC 2015
The branch, master has been updated
via d49b4aa s4-kdc: Use sdb in db-glue and hdb-samba4
via 99d3719 s4-kdc: Introduce a simple sdb_hdb shim layer
via 85a041b s4-kdc: Introduce sdb a KDC backend abstraction
via 535035a s4-kdc: PAC_GLUE does not depend on hdb anymore.
via b9203dc krb5-wrap: Use the principal returned by the KDC to create the ccache
via 217d4c1 s4-auth: Call krb5_get_init_creds_opt_set_canonicalize() in MIT case.
via 80509df s3-auth: Add MIT return code for KDC not reachable
via 1c4dc00 s4-kdc: Use smb_krb5_principal_get_(type|realm) in db-glue
from 3c0f934 tests: Add regression test for s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d49b4aafa81d121e9122f84b0e66fb566d70c3e9
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 17:13:04 2014 +0200
s4-kdc: Use sdb in db-glue and hdb-samba4
Guenther
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
commit 99d3719e7d3073989442cffe635c3ac7a0bc200c
Author: Günther Deschner <gd at samba.org>
Date: Thu May 8 17:09:08 2014 +0200
s4-kdc: Introduce a simple sdb_hdb shim layer
Guenther
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 85a041bab594d7b4e88995c9a7c6f509d8cc19f3
Author: Günther Deschner <gd at samba.org>
Date: Wed May 7 16:52:42 2014 +0200
s4-kdc: Introduce sdb a KDC backend abstraction
Guenther
Pair-Programmed-With: Andreas Schneider <asn at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 535035affc3297a89dc9e342c11ff119967dc271
Author: Günther Deschner <gd at samba.org>
Date: Mon May 12 10:40:24 2014 +0200
s4-kdc: PAC_GLUE does not depend on hdb anymore.
Guenther
Signed-off-by: Günther Deschner <gd at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit b9203dc1571be66a6dd23c88a93d0efd6d305f03
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Tue Feb 3 13:00:34 2015 +0100
krb5-wrap: Use the principal returned by the KDC to create the ccache
We request a TGT in uppercase from the KDC. We turned on
canonicalization for that so the KDC returns the principal in lowercase
cause of this. As we use the uppercase prinicpal to create the ccache we
fail to find the tickets we need later because it is stored in the
incorrect case. You have to use the princial returned by the KDC here.
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 217d4c1531aab25a1a93962ce38ff7fe9ac1bb2c
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 1 13:11:41 2014 +0200
s4-auth: Call krb5_get_init_creds_opt_set_canonicalize() in MIT case.
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 80509dffdb7ebaa57e05589a9a896bf9a57a00e7
Author: Andreas Schneider <asn at samba.org>
Date: Tue May 5 16:53:24 2015 +0200
s3-auth: Add MIT return code for KDC not reachable
This fixes authentication with local credentials against its own server
using netbios domain name.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 1c4dc00a5e7b3cf282a0ac79aafd702bcbf091ac
Author: Andreas Schneider <asn at samba.org>
Date: Fri Jul 24 17:48:08 2015 +0200
s4-kdc: Use smb_krb5_principal_get_(type|realm) in db-glue
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 8 +
source4/auth/gensec/gensec_gssapi.c | 1 +
source4/auth/kerberos/kerberos_util.c | 9 +-
source4/kdc/db-glue.c | 206 ++++++++++------------
source4/kdc/db-glue.h | 8 +-
source4/kdc/hdb-samba4.c | 49 +++++-
source4/kdc/pac-glue.c | 1 -
source4/kdc/sdb.c | 131 ++++++++++++++
source4/kdc/sdb.h | 126 ++++++++++++++
source4/kdc/sdb_to_hdb.c | 315 ++++++++++++++++++++++++++++++++++
source4/kdc/wscript_build | 19 +-
11 files changed, 745 insertions(+), 128 deletions(-)
create mode 100644 source4/kdc/sdb.c
create mode 100644 source4/kdc/sdb.h
create mode 100644 source4/kdc/sdb_to_hdb.c
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 22975c1..490d723 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1717,6 +1717,14 @@ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
return code;
}
+#ifndef SAMBA4_USES_HEIMDAL /* MIT */
+ /*
+ * We need to store the principal as returned from the KDC to the
+ * credentials cache. If we don't do that the KRB5 library is not
+ * able to find the tickets it is looking for
+ */
+ principal = my_creds.client;
+#endif
code = krb5_cc_initialize(ctx, cc, principal);
if (code) {
goto done;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a12447a..ed6d08a 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -276,6 +276,7 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi
case KRB5KDC_ERR_CLIENT_REVOKED:
DEBUG(1, ("Account locked out: %s\n", error_string));
return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ case KRB5_REALM_UNKNOWN:
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
return NT_STATUS_NO_LOGON_SERVERS;
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 76d46bc..2026af3 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -309,6 +309,8 @@ done:
*/
krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context,
krb_options, true);
+#else /* MIT */
+ krb5_get_init_creds_opt_set_canonicalize(krb_options, true);
#endif
tries = 2;
@@ -426,7 +428,12 @@ done:
ret, mem_ctx));
talloc_free(mem_ctx);
return ret;
- }
+ }
+
+ DEBUG(10,("kinit for %s succeeded\n",
+ cli_credentials_get_principal(credentials, mem_ctx)));
+
+
talloc_free(mem_ctx);
return 0;
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8da0da0..af9fa26 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -32,7 +32,7 @@
#include "../lib/crypto/md4.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
-#include <hdb.h>
+#include "kdc/sdb.h"
#include "kdc/samba_kdc.h"
#include "kdc/db-glue.h"
@@ -84,9 +84,9 @@ static time_t ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const cha
return timegm(&tm);
}
-static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type)
+static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type)
{
- HDBFlags flags = int2HDBFlags(0);
+ struct SDBFlags flags = int2SDBFlags(0);
/* we don't allow kadmin deletes */
flags.immutable = 1;
@@ -189,25 +189,13 @@ static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, e
static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
{
if (p->entry_ex != NULL) {
- hdb_entry_ex *entry_ex = p->entry_ex;
- free_hdb_entry(&entry_ex->entry);
+ struct sdb_entry_ex *entry_ex = p->entry_ex;
+ free_sdb_entry(&entry_ex->entry);
}
return 0;
}
-static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
-{
- /* this function is called only from hdb_free_entry().
- * Make sure we neutralize the destructor or we will
- * get a double free later when hdb_free_entry() will
- * try to call free_hdb_entry() */
- talloc_set_destructor(entry_ex->ctx, NULL);
-
- /* now proceed to free the talloc part */
- talloc_free(entry_ex->ctx);
-}
-
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
@@ -216,7 +204,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
bool is_rodc,
uint32_t userAccountControl,
enum samba_kdc_ent_type ent_type,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
krb5_error_code ret = 0;
enum ndr_err_code ndr_err;
@@ -377,7 +365,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
if (kdc_db_ctx->rodc) {
/* We are on an RODC, but don't have keys for this account. Signal this to the caller */
/* TODO: We need to call a generalised version of auth_sam_trigger_repl_secret from here */
- return HDB_ERR_NOT_FOUND_HERE;
+ return SDB_ERR_NOT_FOUND_HERE;
}
/* oh, no password. Apparently (comment in
@@ -388,17 +376,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
/* allocate space to decode into */
entry_ex->entry.keys.len = 0;
- entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
+ entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(struct sdb_key));
if (entry_ex->entry.keys.val == NULL) {
ret = ENOMEM;
goto out;
}
if (hash && (supported_enctypes & ENC_RC4_HMAC_MD5)) {
- Key key;
-
- key.mkvno = 0;
- key.salt = NULL; /* No salt for this enc type */
+ struct sdb_key key = {};
ret = smb_krb5_keyblock_init_contents(context,
ENCTYPE_ARCFOUR_HMAC,
@@ -415,7 +400,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
if (pkb4) {
for (i=0; i < pkb4->num_keys; i++) {
- Key key;
+ struct sdb_key key = {};
if (!pkb4->keys[i].value) continue;
@@ -423,9 +408,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
continue;
}
- key.mkvno = 0;
- key.salt = NULL;
-
if (pkb4->salt.string) {
DATA_BLOB salt;
@@ -464,7 +446,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
if (ret) {
if (key.salt) {
- free_Salt(key.salt);
+ kerberos_free_data_contents(context, &key.salt->salt);
free(key.salt);
key.salt = NULL;
}
@@ -476,7 +458,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
} else if (pkb3) {
for (i=0; i < pkb3->num_keys; i++) {
- Key key;
+ struct sdb_key key = {};
if (!pkb3->keys[i].value) continue;
@@ -484,9 +466,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
continue;
}
- key.mkvno = 0;
- key.salt = NULL;
-
if (pkb3->salt.string) {
DATA_BLOB salt;
@@ -517,7 +496,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
&key.key);
if (ret) {
if (key.salt) {
- free_Salt(key.salt);
+ kerberos_free_data_contents(context, &key.salt->salt);
free(key.salt);
key.salt = NULL;
}
@@ -605,7 +584,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
unsigned flags,
struct ldb_dn *realm_dn,
struct ldb_message *msg,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
uint32_t userAccountControl;
@@ -651,7 +630,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
p->kdc_db_ctx = kdc_db_ctx;
- p->entry_ex = entry_ex;
p->realm_dn = talloc_reference(p, realm_dn);
if (!p->realm_dn) {
ret = ENOMEM;
@@ -660,11 +638,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
talloc_set_destructor(p, samba_kdc_entry_destructor);
- /* make sure we do not have bogus data in there */
- memset(&entry_ex->entry, 0, sizeof(hdb_entry));
-
entry_ex->ctx = p;
- entry_ex->free_entry = samba_kdc_free_entry;
userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
@@ -701,7 +675,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
*/
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
- if (flags & (HDB_F_CANON)) {
+ if (flags & (SDB_F_CANON)) {
/*
* When requested to do so, ensure that the
* both realm values in the principal are set
@@ -738,9 +712,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
krb5_clear_error_message(context);
goto out;
}
- } else if (flags & HDB_F_CANON && flags & HDB_F_FOR_AS_REQ) {
+ } else if (flags & SDB_F_CANON && flags & SDB_F_FOR_AS_REQ) {
/*
- * HDB_F_CANON maps from the canonicalize flag in the
+ * SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
*/
@@ -773,7 +747,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
/* First try and figure out the flags based on the userAccountControl */
- entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type);
+ entry_ex->entry.flags = uf2SDBFlags(context, userAccountControl, ent_type);
/* Windows 2008 seems to enforce this (very sensible) rule by
* default - don't allow offline attacks on a user's password
@@ -794,11 +768,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
*/
if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER && entry_ex->entry.flags.server == 0) {
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
krb5_set_error_message(context, ret, "samba_kdc_message2entry: no servicePrincipalName present for this server, refusing with no-such-entry");
goto out;
}
- if (flags & HDB_F_ADMIN_DATA) {
+ if (flags & SDB_F_ADMIN_DATA) {
/* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
* of the Heimdal KDC. They are stored in a the traditional
* DB for audit purposes, and still form part of the structure
@@ -816,7 +790,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
goto out;
}
- entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
+ entry_ex->entry.modified_by = (struct sdb_event *) malloc(sizeof(struct sdb_event));
if (entry_ex->entry.modified_by == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
@@ -989,7 +963,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
out:
if (ret != 0) {
/* This doesn't free ent itself, that is for the eventual caller to do */
- hdb_free_entry(context, entry_ex);
+ sdb_free_entry(entry_ex);
ZERO_STRUCTP(entry_ex);
} else {
talloc_steal(kdc_db_ctx, entry_ex->ctx);
@@ -1010,7 +984,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
unsigned flags,
uint32_t kvno,
struct ldb_message *msg,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
const char *our_realm = lpcfg_realm(lp_ctx);
@@ -1048,14 +1022,14 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
if (!(trust_direction_flags & direction)) {
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
if (dnsdomain == NULL) {
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
partner_realm = strupper_talloc(mem_ctx, dnsdomain);
@@ -1079,7 +1053,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
if (password_val == NULL) {
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
@@ -1098,16 +1072,14 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
}
p->kdc_db_ctx = kdc_db_ctx;
- p->entry_ex = entry_ex;
p->realm_dn = realm_dn;
talloc_set_destructor(p, samba_kdc_entry_destructor);
/* make sure we do not have bogus data in there */
- memset(&entry_ex->entry, 0, sizeof(hdb_entry));
+ memset(&entry_ex->entry, 0, sizeof(struct sdb_entry));
entry_ex->ctx = p;
- entry_ex->free_entry = samba_kdc_free_entry;
/* use 'whenCreated' */
entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
@@ -1185,7 +1157,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
if (password_blob.previous.count == 0) {
/* there is no previous password */
use_previous = false;
- } else if (!(flags & HDB_F_KVNO_SPECIFIED)) {
+ } else if (!(flags & SDB_F_KVNO_SPECIFIED)) {
/*
* If not specified we use the lowest kvno
* for the first hour after an update.
@@ -1223,7 +1195,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
}
/* use the kvno the client specified, if available */
- if (flags & HDB_F_KVNO_SPECIFIED) {
+ if (flags & SDB_F_KVNO_SPECIFIED) {
entry_ex->entry.kvno = kvno;
} else {
entry_ex->entry.kvno = *auth_kvno;
@@ -1282,11 +1254,11 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
if (num_keys == 0) {
DEBUG(1,(__location__ ": no usable key found\n"));
krb5_clear_error_message(context);
- ret = HDB_ERR_NOENTRY;
+ ret = SDB_ERR_NOENTRY;
goto out;
}
- entry_ex->entry.keys.val = calloc(num_keys, sizeof(Key));
+ entry_ex->entry.keys.val = calloc(num_keys, sizeof(struct sdb_key));
if (entry_ex->entry.keys.val == NULL) {
krb5_clear_error_message(context);
ret = ENOMEM;
@@ -1294,7 +1266,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
}
if (password_utf8.length != 0) {
- Key key = {};
+ struct sdb_key key = {};
krb5_const_principal salt_principal = entry_ex->entry.principal;
krb5_data salt;
krb5_data cleartext_data;
@@ -1345,7 +1317,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
}
if (password_hash != NULL) {
- Key key = {};
+ struct sdb_key key = {};
ret = smb_krb5_keyblock_init_contents(context,
ENCTYPE_ARCFOUR_HMAC,
@@ -1360,7 +1332,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
entry_ex->entry.keys.len++;
}
- entry_ex->entry.flags = int2HDBFlags(0);
+ entry_ex->entry.flags = int2SDBFlags(0);
entry_ex->entry.flags.immutable = 1;
entry_ex->entry.flags.invalid = 0;
entry_ex->entry.flags.server = 1;
@@ -1396,7 +1368,7 @@ out:
if (ret != 0) {
/* This doesn't free ent itself, that is for the eventual caller to do */
- hdb_free_entry(context, entry_ex);
+ sdb_free_entry(entry_ex);
} else {
talloc_steal(kdc_db_ctx, entry_ex->ctx);
}
@@ -1419,7 +1391,7 @@ static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_c
if (NT_STATUS_IS_OK(status)) {
return 0;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
int ret = ENOMEM;
krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
@@ -1555,7 +1527,7 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
TALLOC_FREE(principal_string);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
return ENOMEM;
} else if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1570,7 +1542,7 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
unsigned flags,
- hdb_entry_ex *entry_ex) {
+ struct sdb_entry_ex *entry_ex) {
struct ldb_dn *realm_dn;
krb5_error_code ret;
struct ldb_message *msg = NULL;
@@ -1595,7 +1567,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
krb5_const_principal principal,
unsigned flags,
uint32_t kvno,
- hdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex)
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
krb5_error_code ret;
@@ -1607,18 +1579,18 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
realm_from_princ_malloc = smb_krb5_principal_get_realm(context, principal);
if (realm_from_princ_malloc == NULL) {
/* can't happen */
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
realm_from_princ = talloc_strdup(mem_ctx, realm_from_princ_malloc);
free(realm_from_princ_malloc);
if (realm_from_princ == NULL) {
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
if (krb5_princ_size(context, principal) != 2
|| (principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME) != 0)) {
/* Not a krbtgt */
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
}
/* krbtgt case. Either us or a trusted realm */
@@ -1635,11 +1607,11 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
/* w2k8r2 sometimes gives us a kvno of 255 for inter-domain
trust tickets. We don't yet know what this means, but we do
seem to need to treat it as unspecified */
- if (flags & HDB_F_KVNO_SPECIFIED) {
+ if (flags & SDB_F_KVNO_SPECIFIED) {
krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno);
if (kdc_db_ctx->rodc) {
if (krbtgt_number != kdc_db_ctx->my_krbtgt_number) {
- return HDB_ERR_NOT_FOUND_HERE;
+ return SDB_ERR_NOT_FOUND_HERE;
}
}
} else {
@@ -1665,17 +1637,17 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
(unsigned)(krbtgt_number));
- krb5_set_error_message(context, HDB_ERR_NOENTRY,
+ krb5_set_error_message(context, SDB_ERR_NOENTRY,
"samba_kdc_fetch: could not find KRBTGT number %u in DB!",
(unsigned)(krbtgt_number));
- return HDB_ERR_NOENTRY;
+ return SDB_ERR_NOENTRY;
} else if (lret != LDB_SUCCESS) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list