[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Mar 24 10:18:01 UTC 2022
The branch, master has been updated
via d1d65d271ec s4:kdc: Expose samba_kdc_message2entry_keys()
via 29eb7e2488e s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
via 2340a9a44f4 s4:kdc: Pull auth_sam_trigger_repl_secret() up one layer to samba_kdc_message2entry()
via 2684856aac6 s4:kdc: Add const to "msg" parameter in samba_kdc_message2entry_keys()
via 548169a3e20 s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys()
via 2d9fd3855f3 s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()
via 01e7425fab7 s4:kdc: teach samba_kdc_message2entry_keys() to handle old and older keys too
via 5f28a9481f4 s4:kdc: add old and older keys to sdb_entry
via d062225e25c s4:kdc: pass flags and kvno down to samba_kdc_message2entry_keys()
via d05f2323d30 s4:kdc: finally remove unused 'struct sdb_entry_ex'
via 57bf9752315 s4:kdc: avoid using sdb_entry_ex in hdb_samba4_{first,next}key()
via f917a20fcee s4:kdc: avoid using sdb_entry_ex in hdb_samba4_fetch_kvno()
via bf9ec0a67bc s4:kdc: avoid using sdb_entry_ex in netr_samlogon_generic_logon()
via e7b101e12ee s4:kdc: avoid using sdb_entry_ex in mit_samba_get_{first,next}key()
via 61548c7c940 s4:kdc: avoid using sdb_entry_ex in mit_samba_get_principal()
via 5926219278a s4:kdc: avoid using sdb_entry_ex in samba_wdc_reget_pac()
via 68dfb46361c s4:libnet: avoid using sdb_entry_ex and use sdb_entry directly
via 14487c4027b s4:kdc: samba_kdc_{first,next}key() only need sdb_entry
via 3cba1641fd6 s4:kdc: samba_kdc_fetch() only needs sdb_entry
via 83b3695bd3a s4:kdc: remove unused sdb_entry_ex_to_kdb_entry_ex()
via f223f2150bf s4:kdc: use sdb_entry_to_krb5_db_entry() directly
via 225c610f68c s4:kdc: remove unused sdb_entry_ex_to_hdb_entry_ex()
via dceae1bb132 s4:kdc: use sdb_entry_to_hdb_entry() directly
via a71b74b2071 s4:kdc: hdb_samba4_fetch_fast_cookie() don't need sdb_entry_ex
via 158132c9d01 s4:kdc: samba_kdc_seq() only needs sdb_entry
via ac1cdffe7c6 s4:kdc: samba_kdc_fetch_server() only needs sdb_entry
via e74a8992ccc s4:kdc: samba_kdc_fetch_krbtgt() only needs sdb_entry
via b8c738a956c s4:kdc: samba_kdc_fetch_client() only needs sdb_entry
via e528c93c54c s4:kdc: samba_kdc_lookup_realm() only needs sdb_entry
via e5eb8c8c3dc s4:kdc: only pass sdb_entry to samba_kdc_message2entry()
via d3770c7d967 s4:kdc: only pass sdb_entry to samba_kdc_trust_message2entry()
via 57829933c33 s4:kdc: only ZERO and free sdb_entry in samba_kdc_trust_message2entry()
via f81e3b4988d s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_trust_message2entry()
via 049c906091e s4:kdc: only ZERO and free sdb_entry in samba_kdc_message2entry()
via 477ea29e91a s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_message2entry()
via 4878ea144a1 s4:kdc: only pass sdb_entry to samba_kdc_message2entry_keys()
via d5951bbfa70 s4:kdc: remove unused principal argument to samba_kdc_trust_message2entry()
via 79565856c2a s4:kdc: split out a samba_kdc_fill_user_keys() helper function
via c3171a73611 s4:kdc: remove Primary:Kerberos usage from samba_kdc_message2entry_keys()
via b8c0f40690c s4:kdc: only pass keys to samba_kdc_set_random_keys()
via 35508449bfd s4:kdc: only pass sdb_keys to samba_kdc_set_fixed_keys()
via 28924f35668 s4:kdc: add a samba_kdc_sort_keys() function using TYPESAFE_QSORT()
via c95a0bca5fe s4:kdc: expose a sdb_entry_free() function
via f8d9cdb5ffc s4:kdc: expose sdb_entry_to_hdb_entry() function
via cd295a89792 s4:kdc: expose a sdb_entry_to_krb5_db_entry() function
via c2eb50861d5 s4:kdc: let samba_kdc_entry take references to sdb_entry and kdc_entry
via 788ccb8cb99 s4:kdc: make the logic between ZERO_STRUCTP(entry_ex) and sdb_free_entry(entry_ex) clearer
via 2323f9d2e23 s4:kdc: let sdb_entry have a typed samba_kdc_entry pointer
via 732d9ceedc2 s4:kdc: remove unused samba_kdc_entry->entry_ex
via 9c7de9a56e2 s4:kdc: split out a sdb_keys_free() helper function
via d2f471f9a47 s4:kdc: rename free_sdb_key() as public sdb_key_free() function
via 9bc5aeddfd2 s4:kdc: make free_sdb_entry() static
via a77933f9d27 s4:kdc: let samba_kdc_entry_destructor() call sdb_free_entry()
via ccd11c2c25c s4:kdc: don't leak salt in free_sdb_key()
via 97dbdb48d85 s4:kdc: call krb5_free_keyblock_contents() in free_sdb_key()
via ff03d88d6e5 s4:kdc: remove unused sdb_entry_ex->free_entry()
via 4f6a34df68e s4:libnet: ask for SDB_F_ADMIN_DATA in order to create a keytab entry
via 244e188083a s4:libnet: sdb_free_entry() already clears everything
via 829bb366f33 s4:kdc: let sdb_free_entry clear sdb_entry_ex at the end
via 6152db35a66 s4:kdc: let sdb_entry_ex_to_krb5_db_entry() initialize 'k' at the beginning
via ba6fccf4439 s4:kdc: let sdb_entry_to_hdb_entry() initialize *h at the beginning
via 7312bca8c7a s4:kdc: remove unused mkvno from sdb_key
via ab0946a75d5 s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
from 80d72b532f6 smbd: Make an if-statement in ReadDirName() a bit more readable
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d1d65d271ecda41dc13627bbca213181dac28c41
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 8 22:49:31 2022 +1300
s4:kdc: Expose samba_kdc_message2entry_keys()
This allows the KDC to share the supplementalCredentials parsing code
with other parts of Samba that could use it.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 24 10:17:32 UTC 2022 on sn-devel-184
commit 29eb7e2488e2c55ceacb859a57836a08cbb7f8e8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 23 13:07:29 2022 +1300
s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
By putting this in the caller we potentially allow samba_kdc_message2entry_keys()
to be reused by a non-KDC caller.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2340a9a44f429f0b2e15668c1646b8efedece6c9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 23 10:13:54 2022 +1300
s4:kdc: Pull auth_sam_trigger_repl_secret() up one layer to samba_kdc_message2entry()
This avoids making a call out in samba_kdc_message2entry_keys() and allows
for potential reuse of the key parsing code.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2684856aac6a789ef13fbcfc631890d7447b53f8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Mar 8 22:48:50 2022 +1300
s4:kdc: Add const to "msg" parameter in samba_kdc_message2entry_keys()
This will help with a future caller.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 548169a3e20cd6ee4a5d9320b85b2dea4ffe0eea
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 23 09:47:53 2022 +1300
s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys()
We should not supprise the callers by returning more keys than we asked to
filter by and avoids duplicating the protected_users logic within
samba_kdc_set_fixed_keys().
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2d9fd3855f3c50c17111a72f6247aabd02e575be
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 23 09:47:53 2022 +1300
s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 01e7425fab7fcd8887dbd25c7179bb6669853fae
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 21:42:06 2022 +0100
s4:kdc: teach samba_kdc_message2entry_keys() to handle old and older keys too
We return the requested kvno if given, otherwise we include the
old and older keys for CLIENT|FOR_AS_REQ or SDB_F_ADMIN_DATA lookups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5f28a9481f45903d9d7a405f89ead314dbebd775
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 00:41:13 2022 +0100
s4:kdc: add old and older keys to sdb_entry
This is the first step to return the password history
in order to avoid badPwdCount updates for failing
pre-authentication with passwords from the recent history.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d062225e25c85c942f79ce426a003d122b69ae9b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 19 13:22:48 2019 +0200
s4:kdc: pass flags and kvno down to samba_kdc_message2entry_keys()
We need a ways to ask for a specific kvno if SDB_F_KVNO_SPECIFIED
is requested. And also include the old and older keys from
the password history in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d05f2323d308fe4f3e88979f3ee5b41461c436f9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:29:20 2022 +0100
s4:kdc: finally remove unused 'struct sdb_entry_ex'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57bf97523150f2052bee2e8789613d65e7ab2a52
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:17:01 2022 +0100
s4:kdc: avoid using sdb_entry_ex in hdb_samba4_{first,next}key()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f917a20fcee101bf78fdc3c6e39e4c66c756c7fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:17:01 2022 +0100
s4:kdc: avoid using sdb_entry_ex in hdb_samba4_fetch_kvno()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bf9ec0a67bc4078d4d50795bd57a40d1ef212b75
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:17:01 2022 +0100
s4:kdc: avoid using sdb_entry_ex in netr_samlogon_generic_logon()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e7b101e12ee26104089facc4f5e6a94f90b62e32
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:17:01 2022 +0100
s4:kdc: avoid using sdb_entry_ex in mit_samba_get_{first,next}key()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61548c7c940f5d05e36757c7b65f289ef4100ea9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:17:01 2022 +0100
s4:kdc: avoid using sdb_entry_ex in mit_samba_get_principal()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5926219278ac63a40cd48d0d9f362f7cf46e9d90
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:17:01 2022 +0100
s4:kdc: avoid using sdb_entry_ex in samba_wdc_reget_pac()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 68dfb46361c3d0f2592b597a07fda3d85c87b21c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:17:01 2022 +0100
s4:libnet: avoid using sdb_entry_ex and use sdb_entry directly
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14487c4027baad3aff94bdaba75e9d6ef86c03b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:43:25 2022 +0100
s4:kdc: samba_kdc_{first,next}key() only need sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3cba1641fd6d11720a10935be48bd56f4acbc09d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:43:25 2022 +0100
s4:kdc: samba_kdc_fetch() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 83b3695bd3aa31d94640b682567df141e28f267c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:00:09 2022 +0100
s4:kdc: remove unused sdb_entry_ex_to_kdb_entry_ex()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f223f2150bf499e3a62bb8d05ac71e27bfbf7c2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:57:38 2022 +0100
s4:kdc: use sdb_entry_to_krb5_db_entry() directly
We should avoid sdb_entry_ex, as it will be removed soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 225c610f68c3ae7438e3b3c57b234229f1758da0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 04:00:09 2022 +0100
s4:kdc: remove unused sdb_entry_ex_to_hdb_entry_ex()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dceae1bb132993f8aa898b7b42e40608a77634c8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:57:38 2022 +0100
s4:kdc: use sdb_entry_to_hdb_entry() directly
We should avoid sdb_entry_ex, as it will be removed soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a71b74b2071e3eac1a9636d6c1e7e89ae0843b9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:52:43 2022 +0100
s4:kdc: hdb_samba4_fetch_fast_cookie() don't need sdb_entry_ex
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 158132c9d011d5e04b5a268ef071be580b55a010
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:43:25 2022 +0100
s4:kdc: samba_kdc_seq() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ac1cdffe7c6cdae49071d4fd2fbe37216f74f21f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:43:25 2022 +0100
s4:kdc: samba_kdc_fetch_server() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e74a8992cccb86e38139a08bd123de11f6dd630b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:43:25 2022 +0100
s4:kdc: samba_kdc_fetch_krbtgt() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8c738a956cef6da59a6b19f083a591963427964
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:43:25 2022 +0100
s4:kdc: samba_kdc_fetch_client() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e528c93c54c3acb089ed49f23c2a4434b0f8d4e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:43:25 2022 +0100
s4:kdc: samba_kdc_lookup_realm() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e5eb8c8c3dc1c2321de680f3232b9969d93a70de
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:36:31 2022 +0100
s4:kdc: only pass sdb_entry to samba_kdc_message2entry()
It no longer needs sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d3770c7d967a42bf120a30c4985d90248b254bed
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:36:31 2022 +0100
s4:kdc: only pass sdb_entry to samba_kdc_trust_message2entry()
It no longer needs sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57829933c33114ebf3d773865c6aea53995d9cd1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:29:21 2022 +0100
s4:kdc: only ZERO and free sdb_entry in samba_kdc_trust_message2entry()
sdb_entry_ex only contains sdb_entry, so this is still doing
the same, but we want to remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f81e3b4988d9820a1265b3b8c4e6901242318aab
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:25:12 2022 +0100
s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_trust_message2entry()
We should avoid using entry_ex->entry as sdb_entry_ex will be removed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 049c906091ee6754bb18f329cfbb9e0daf63af6c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:29:21 2022 +0100
s4:kdc: only ZERO and free sdb_entry in samba_kdc_message2entry()
sdb_entry_ex only contains sdb_entry, so this is still doing
the same, but we want to remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 477ea29e91a915c0b94eaa1d35f4e1e0e331f111
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:25:12 2022 +0100
s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_message2entry()
We should avoid using entry_ex->entry as sdb_entry_ex will be removed.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4878ea144a14330481ae085c6cf3c9b3dc0485ed
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 03:16:32 2022 +0100
s4:kdc: only pass sdb_entry to samba_kdc_message2entry_keys()
sdb_entry_ex will be removed as it just contains sdb_entry.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d5951bbfa7011109a4add47b7acfa64527e8df85
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 3 14:12:02 2022 +0100
s4:kdc: remove unused principal argument to samba_kdc_trust_message2entry()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 79565856c2aed0554534bd22b9bfdfe2bef865d9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 21:46:28 2022 +0100
s4:kdc: split out a samba_kdc_fill_user_keys() helper function
This will simplify further changes, e.g. asking for a specific kvno
or returning the password history in order to prevent
badPwdCount updates with passwords in the history.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c3171a73611a61c60fec4ae5d1373941f7e57491
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 8 14:25:53 2022 +0100
s4:kdc: remove Primary:Kerberos usage from samba_kdc_message2entry_keys()
Most likely the kerberos libraries don't support DES anymore, so
there's no point in exposing them at all.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8c0f40690ce73ea2f86a87e636f3e28b31c5604
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 18:11:44 2022 +0100
s4:kdc: only pass keys to samba_kdc_set_random_keys()
This prepares the removal of sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 35508449bfd3ad7d0599df2814d3371332713657
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 18:09:33 2022 +0100
s4:kdc: only pass sdb_keys to samba_kdc_set_fixed_keys()
This prepares the removal of sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28924f35668356f13f7ad3dcf1b9972d0f63d0cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 8 15:08:57 2022 +0100
s4:kdc: add a samba_kdc_sort_keys() function using TYPESAFE_QSORT()
This is better than calloc/free each time.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c95a0bca5fec4b8150a71278e0d12c8b9abe0ea1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 17:59:19 2022 +0100
s4:kdc: expose a sdb_entry_free() function
We'll remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f8d9cdb5ffc4e3fb3d56b42715669aa94acebb9c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 17:55:54 2022 +0100
s4:kdc: expose sdb_entry_to_hdb_entry() function
We'll remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cd295a897920c109ae2a6a1fd5f5639ac04e38d7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 17:55:54 2022 +0100
s4:kdc: expose a sdb_entry_to_krb5_db_entry() function
We'll remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c2eb50861d52dbf32e021beb7a100f4446e1629b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 17:04:22 2022 +0100
s4:kdc: let samba_kdc_entry take references to sdb_entry and kdc_entry
kdc_entry can be hdb_entry or krb5_db_entry.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 788ccb8cb99f56128331d98ec08c521547b98232
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 8 16:50:14 2022 +0100
s4:kdc: make the logic between ZERO_STRUCTP(entry_ex) and sdb_free_entry(entry_ex) clearer
samba_kdc_[trust_]message2entry() always starts with
ZERO_STRUCTP(entry_ex) and cleans up on error with
sdb_free_entry(entry_ex), leaving a cleared structure again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2323f9d2e23fd017884c68002fa376d27ac9074e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 16:35:58 2022 +0100
s4:kdc: let sdb_entry have a typed samba_kdc_entry pointer
Both layers are owned by us so there's no need for an void
pointer.
This simplifies the code a lot and allows further cleanups.
Eventually we can remove sdb_entry_ex and only use sdb_entry,
as Heimdal also removed hdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 732d9ceedc2a6701c8006cda15ecb315806a5ca7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 16:57:57 2022 +0100
s4:kdc: remove unused samba_kdc_entry->entry_ex
It will only ever point to an sdb_entry_ex
and becomes a stale pointer fast, as
sdb_free_entry() called before any talloc_free()
can happen (with a destructor still set).
Note the talloc parent of samba_kdc_entry
is the samba_kdc_db_context longterm context.
The next commits will fill samba_kdc_entry_destructor
with logic again, but for now remove the unused code.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c7de9a56e22921ed86447e93e06979c9d97b03a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 21:04:44 2022 +0100
s4:kdc: split out a sdb_keys_free() helper function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d2f471f9a478774b7d921c85ee7b7e97f41e4040
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 21:04:44 2022 +0100
s4:kdc: rename free_sdb_key() as public sdb_key_free() function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9bc5aeddfd2e205a08f8f63dce4d368863068200
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 20:58:03 2022 +0100
s4:kdc: make free_sdb_entry() static
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a77933f9d27fd8504953345c092464404b9faa2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 20:55:25 2022 +0100
s4:kdc: let samba_kdc_entry_destructor() call sdb_free_entry()
It's basically the same as free_sdb_entry(), but the next
step will make free_sdb_entry() private.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ccd11c2c25cfe3c943b5b16da8db53af3c53da84
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 21:13:24 2022 +0100
s4:kdc: don't leak salt in free_sdb_key()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 97dbdb48d857e49bcae2f5497414d94a1f14b684
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 20:56:17 2022 +0100
s4:kdc: call krb5_free_keyblock_contents() in free_sdb_key()
This is much clearer than doing it in sdb_free_entry() already.
It also simplifies the next cleanups.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff03d88d6e5f909b774c5a3d05757d57052d77ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 13:59:58 2022 +0100
s4:kdc: remove unused sdb_entry_ex->free_entry()
It seems we need to take a closer look at the
memory hierachy of the sdb_entry related code.
I'll check that during the next commits,
but for now just remove use the unused hook.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f6a34df68ec564929354b66f80c9ed4b88ead5d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 23 02:14:46 2022 +0100
s4:libnet: ask for SDB_F_ADMIN_DATA in order to create a keytab entry
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 244e188083ae006120014049e3673bb960a15080
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 21 23:39:14 2022 +0100
s4:libnet: sdb_free_entry() already clears everything
There's no need to know about '.free_entry'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 829bb366f33f1c20cdf4ef6d40bd4a926e2c6afb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 22 13:31:31 2022 +0100
s4:kdc: let sdb_free_entry clear sdb_entry_ex at the end
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6152db35a660574bcfdc8a2cffe795e3bc30e25e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 17 10:59:45 2022 +0100
s4:kdc: let sdb_entry_ex_to_krb5_db_entry() initialize 'k' at the beginning
This is clearer and make further changes easier.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ba6fccf443978b40e0187a7e589dd2cf6874fc39
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 17 10:59:45 2022 +0100
s4:kdc: let sdb_entry_to_hdb_entry() initialize *h at the beginning
This is clearer and make further changes easier.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7312bca8c7a09b5fd4a35c15f1c8b49fc2c209cf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 11 21:04:57 2022 +0100
s4:kdc: remove unused mkvno from sdb_key
This is not related to the kvno of the key,
the mkvno tells the HDB layer that the keys need to
be decrypted with a master key (with the given [m]kvno).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ab0946a75d51b8f4826d98c61c3ad503615009fe
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 16 14:11:10 2022 +0100
s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos
Even if the msDS-KeyVersionNumber of the main krbtgt
account if larger than 65535, we need to have
the 16 upper bits all zero in order to avoid
mixing the keys with an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/db-glue.c | 1030 ++++++++++++++++------------
source4/kdc/db-glue.h | 42 +-
source4/kdc/hdb-samba4.c | 55 +-
source4/kdc/mit-kdb/kdb_samba.c | 3 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 3 +-
source4/kdc/mit_kdc_irpc.c | 6 +-
source4/kdc/mit_samba.c | 30 +-
source4/kdc/samba_kdc.h | 3 +-
source4/kdc/sdb.c | 64 +-
source4/kdc/sdb.h | 15 +-
source4/kdc/sdb_to_hdb.c | 55 +-
source4/kdc/sdb_to_kdb.c | 59 +-
source4/kdc/wdc-samba4.c | 10 +-
source4/libnet/libnet_export_keytab.c | 29 +-
14 files changed, 731 insertions(+), 673 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index d384ecea811..dbe9276350c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -47,14 +47,13 @@
#define SAMBA_KVNO_GET_KRBTGT(kvno) \
((uint16_t)(((uint32_t)kvno) >> 16))
+#define SAMBA_KVNO_GET_VALUE(kvno) \
+ ((uint16_t)(((uint32_t)kvno) & 0xFFFF))
+
#define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \
((krb5_kvno)((((uint32_t)kvno) & 0xFFFF) | \
((((uint32_t)krbtgt) << 16) & 0xFFFF0000)))
-enum samba_kdc_ent_type
-{ SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
- SAMBA_KDC_ENT_TYPE_KRBTGT, SAMBA_KDC_ENT_TYPE_TRUST, SAMBA_KDC_ENT_TYPE_ANY };
-
enum trust_direction {
UNKNOWN = 0,
INBOUND = LSA_TRUST_DIRECTION_INBOUND,
@@ -249,9 +248,19 @@ static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountCon
static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
{
- if (p->entry_ex != NULL) {
- struct sdb_entry_ex *entry_ex = p->entry_ex;
- free_sdb_entry(&entry_ex->entry);
+ if (p->db_entry != NULL) {
+ /*
+ * A sdb_entry still has a reference
+ */
+ return -1;
+ }
+
+ if (p->kdc_entry != NULL) {
+ /*
+ * hdb_entry or krb5_db_entry still
+ * have a reference...
+ */
+ return -1;
}
return 0;
@@ -270,9 +279,9 @@ static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
* in the server keys (unless the string attribute is set on the server
* principal overriding that set).
*/
-static int samba_kdc_sort_encryption_keys(struct sdb_entry_ex *entry_ex)
+
+static int sdb_key_strength_priority(krb5_enctype etype)
{
- unsigned int i, j, idx = 0;
static const krb5_enctype etype_list[] = {
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -283,66 +292,62 @@ static int samba_kdc_sort_encryption_keys(struct sdb_entry_ex *entry_ex)
ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL
};
- size_t etype_len = ARRAY_SIZE(etype_list);
- size_t keys_size = entry_ex->entry.keys.len;
- struct sdb_key *keys = entry_ex->entry.keys.val;
- struct sdb_key *sorted_keys;
+ int i;
- sorted_keys = calloc(keys_size, sizeof(struct sdb_key));
- if (sorted_keys == NULL) {
- return -1;
+ for (i = 0; i < ARRAY_SIZE(etype_list); i++) {
+ if (etype == etype_list[i]) {
+ break;
+ }
}
- for (i = 0; i < etype_len; i++) {
- for (j = 0; j < keys_size; j++) {
- const struct sdb_key skey = keys[j];
+ return ARRAY_SIZE(etype_list) - i;
+}
- if (idx == keys_size) {
- break;
- }
+static int sdb_key_strength_cmp(const struct sdb_key *k1, const struct sdb_key *k2)
+{
+ int p1 = sdb_key_strength_priority(KRB5_KEY_TYPE(&k1->key));
+ int p2 = sdb_key_strength_priority(KRB5_KEY_TYPE(&k2->key));
- if (KRB5_KEY_TYPE(&skey.key) == etype_list[i]) {
- sorted_keys[idx] = skey;
- idx++;
- }
- }
+ if (p1 == p2) {
+ return 0;
}
- /* Paranoia: Something went wrong during data copy */
- if (idx != keys_size) {
- free(sorted_keys);
+ if (p1 > p2) {
+ /*
+ * Higher priority comes first
+ */
return -1;
+ } else {
+ return 1;
}
+}
- free(entry_ex->entry.keys.val);
- entry_ex->entry.keys.val = sorted_keys;
+static void samba_kdc_sort_keys(struct sdb_keys *keys)
+{
+ if (keys == NULL) {
+ return;
+ }
- return 0;
+ TYPESAFE_QSORT(keys->val, keys->len, sdb_key_strength_cmp);
}
int samba_kdc_set_fixed_keys(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
const struct ldb_val *secretbuffer,
- bool is_protected,
- struct sdb_entry_ex *entry_ex)
+ uint32_t supported_enctypes,
+ struct sdb_keys *keys)
{
- uint32_t supported_enctypes = ENC_ALL_TYPES;
uint16_t allocated_keys = 0;
int ret;
allocated_keys = 3;
- entry_ex->entry.keys.len = 0;
- entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(struct sdb_key));
- if (entry_ex->entry.keys.val == NULL) {
+ keys->len = 0;
+ keys->val = calloc(allocated_keys, sizeof(struct sdb_key));
+ if (keys->val == NULL) {
memset(secretbuffer->data, 0, secretbuffer->length);
ret = ENOMEM;
goto out;
}
- if (is_protected) {
- supported_enctypes &= ~ENC_RC4_HMAC_MD5;
- }
-
if (supported_enctypes & ENC_HMAC_SHA1_96_AES256) {
struct sdb_key key = {};
@@ -356,8 +361,8 @@ int samba_kdc_set_fixed_keys(krb5_context context,
goto out;
}
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
+ keys->val[keys->len] = key;
+ keys->len++;
}
if (supported_enctypes & ENC_HMAC_SHA1_96_AES128) {
@@ -373,8 +378,8 @@ int samba_kdc_set_fixed_keys(krb5_context context,
goto out;
}
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
+ keys->val[keys->len] = key;
+ keys->len++;
}
if (supported_enctypes & ENC_RC4_HMAC_MD5) {
@@ -390,8 +395,8 @@ int samba_kdc_set_fixed_keys(krb5_context context,
goto out;
}
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
+ keys->val[keys->len] = key;
+ keys->len++;
}
ret = 0;
out:
@@ -400,9 +405,8 @@ out:
static int samba_kdc_set_random_keys(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- struct sdb_entry_ex *entry_ex,
- bool is_protected)
+ uint32_t supported_enctypes,
+ struct sdb_keys *keys)
{
struct ldb_val secret_val;
uint8_t secretbuffer[32];
@@ -418,121 +422,252 @@ static int samba_kdc_set_random_keys(krb5_context context,
secret_val = data_blob_const(secretbuffer,
sizeof(secretbuffer));
- return samba_kdc_set_fixed_keys(context, kdc_db_ctx,
+ return samba_kdc_set_fixed_keys(context,
&secret_val,
- is_protected,
- entry_ex);
+ supported_enctypes,
+ keys);
}
+struct samba_kdc_user_keys {
+ struct sdb_keys *skeys;
+ uint32_t kvno;
+ uint32_t *returned_kvno;
+ uint32_t supported_enctypes;
+ uint32_t *available_enctypes;
+ const struct samr_Password *nthash;
+ const char *salt_string;
+ uint16_t num_pkeys;
+ const struct package_PrimaryKerberosKey4 *pkeys;
+};
+
+static krb5_error_code samba_kdc_fill_user_keys(krb5_context context,
+ struct samba_kdc_user_keys *p)
+{
+ /*
+ * Make sure we'll never reveal DES keys
+ */
+ uint32_t supported_enctypes = p->supported_enctypes & ENC_ALL_TYPES;
+ uint32_t _available_enctypes = 0;
+ uint32_t *available_enctypes = p->available_enctypes;
+ uint32_t _returned_kvno = 0;
+ uint32_t *returned_kvno = p->returned_kvno;
+ uint32_t num_pkeys = p->num_pkeys;
+ uint32_t allocated_keys = num_pkeys;
+ uint32_t i;
+ int ret;
+
+ if (available_enctypes == NULL) {
+ available_enctypes = &_available_enctypes;
+ }
+
+ *available_enctypes = 0;
+
+ if (returned_kvno == NULL) {
+ returned_kvno = &_returned_kvno;
+ }
+
+ *returned_kvno = p->kvno;
+
+ if (p->nthash != NULL) {
+ allocated_keys += 1;
+ }
+
+ allocated_keys = MAX(1, allocated_keys);
+
+ /* allocate space to decode into */
+ p->skeys->len = 0;
+ p->skeys->val = calloc(allocated_keys, sizeof(struct sdb_key));
+ if (p->skeys->val == NULL) {
+ return ENOMEM;
+ }
+
+ for (i=0; i < num_pkeys; i++) {
+ struct sdb_key key = {};
+ uint32_t enctype_bit;
+
+ if (p->pkeys[i].value == NULL) {
+ continue;
+ }
+
+ enctype_bit = kerberos_enctype_to_bitmap(p->pkeys[i].keytype);
+ if (!(enctype_bit & supported_enctypes)) {
+ continue;
+ }
+
+ if (p->salt_string != NULL) {
+ DATA_BLOB salt;
+
+ salt = data_blob_string_const(p->salt_string);
+
+ key.salt = calloc(1, sizeof(*key.salt));
+ if (key.salt == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ key.salt->type = KRB5_PW_SALT;
+
+ ret = smb_krb5_copy_data_contents(&key.salt->salt,
+ salt.data,
+ salt.length);
+ if (ret) {
+ ZERO_STRUCTP(key.salt);
+ sdb_key_free(&key);
+ goto fail;
+ }
+ }
+
+ ret = smb_krb5_keyblock_init_contents(context,
+ p->pkeys[i].keytype,
+ p->pkeys[i].value->data,
+ p->pkeys[i].value->length,
+ &key.key);
+ if (ret == 0) {
+ p->skeys->val[p->skeys->len++] = key;
+ *available_enctypes |= enctype_bit;
+ continue;
+ }
+ ZERO_STRUCT(key.key);
+ sdb_key_free(&key);
+ if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+ DEBUG(2,("Unsupported keytype ignored - type %u\n",
+ p->pkeys[i].keytype));
+ ret = 0;
+ continue;
+ }
+
+ goto fail;
+ }
+
+ if (p->nthash != NULL && (supported_enctypes & ENC_RC4_HMAC_MD5)) {
+ struct sdb_key key = {};
+
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ p->nthash->hash,
+ sizeof(p->nthash->hash),
+ &key.key);
+ if (ret == 0) {
+ p->skeys->val[p->skeys->len++] = key;
+
+ *available_enctypes |= ENC_RC4_HMAC_MD5;
+ } else if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+ DEBUG(2,("Unsupported keytype ignored - type %u\n",
+ ENCTYPE_ARCFOUR_HMAC));
+ ret = 0;
+ }
+ if (ret != 0) {
+ goto fail;
+ }
+ }
+
+ samba_kdc_sort_keys(p->skeys);
+
+ return 0;
+fail:
+ sdb_keys_free(p->skeys);
+ return ret;
+}
-static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- TALLOC_CTX *mem_ctx,
- struct ldb_message *msg,
- uint32_t rid,
- bool is_rodc,
- uint32_t userAccountControl,
- enum samba_kdc_ent_type ent_type,
- struct sdb_entry_ex *entry_ex,
- bool is_protected,
- uint32_t *supported_enctypes_out)
+krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
+ TALLOC_CTX *mem_ctx,
+ const struct ldb_message *msg,
+ bool is_krbtgt,
+ bool is_rodc,
+ uint32_t userAccountControl,
+ enum samba_kdc_ent_type ent_type,
+ unsigned flags,
+ krb5_kvno requested_kvno,
+ struct sdb_entry *entry,
+ const uint32_t supported_enctypes_in,
+ uint32_t *supported_enctypes_out)
{
krb5_error_code ret = 0;
enum ndr_err_code ndr_err;
struct samr_Password *hash;
+ unsigned int num_ntPwdHistory = 0;
+ struct samr_Password *ntPwdHistory = NULL;
+ struct samr_Password *old_hash = NULL;
+ struct samr_Password *older_hash = NULL;
const struct ldb_val *sc_val;
struct supplementalCredentialsBlob scb;
struct supplementalCredentialsPackage *scpk = NULL;
- bool newer_keys = false;
struct package_PrimaryKerberosBlob _pkb;
- struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
+ int krbtgt_number = 0;
+ uint32_t current_kvno;
+ uint32_t old_kvno = 0;
+ uint32_t older_kvno = 0;
+ uint32_t returned_kvno = 0;
uint16_t i;
- uint16_t allocated_keys = 0;
- int rodc_krbtgt_number = 0;
- int kvno = 0;
- uint32_t supported_enctypes
- = ldb_msg_find_attr_as_uint(msg,
- "msDS-SupportedEncryptionTypes",
- 0);
- *supported_enctypes_out = 0;
-
- if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
- bool enable_fast;
-
- /* KDCs (and KDCs on RODCs) use AES */
- supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
-
- enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
- if (enable_fast) {
- supported_enctypes |= ENC_FAST_SUPPORTED;
- }
- } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
- /* DCs and RODCs comptuer accounts use AES */
- supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
- (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
- /* for AS-REQ the client chooses the enc types it
- * supports, and this will vary between computers a
- * user logs in from.
- *
- * likewise for 'any' return as much as is supported,
- * to export into a keytab */
- supported_enctypes = ENC_ALL_TYPES;
- }
-
- /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- supported_enctypes = 0;
- } else {
- /* Otherwise, add in the default enc types */
- supported_enctypes |= ENC_RC4_HMAC_MD5;
- }
+ struct samba_kdc_user_keys keys = { .num_pkeys = 0, };
+ struct samba_kdc_user_keys old_keys = { .num_pkeys = 0, };
+ struct samba_kdc_user_keys older_keys = { .num_pkeys = 0, };
+ uint32_t available_enctypes = 0;
+ uint32_t supported_enctypes = supported_enctypes_in;
- if (is_protected) {
- supported_enctypes &= ~ENC_RC4_HMAC_MD5;
- }
+ *supported_enctypes_out = 0;
/* Is this the krbtgt or a RODC krbtgt */
if (is_rodc) {
- rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
+ krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
- if (rodc_krbtgt_number == -1) {
+ if (krbtgt_number == -1) {
+ return EINVAL;
+ }
+ if (krbtgt_number == 0) {
return EINVAL;
}
}
- entry_ex->entry.keys.val = NULL;
- entry_ex->entry.keys.len = 0;
- entry_ex->entry.kvno = 0;
-
if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
&& (userAccountControl & UF_SMARTCARD_REQUIRED)) {
ret = samba_kdc_set_random_keys(context,
- kdc_db_ctx,
- entry_ex,
- is_protected);
+ supported_enctypes,
+ &entry->keys);
*supported_enctypes_out = supported_enctypes;
goto out;
}
- kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
- if (is_rodc) {
- kvno = SAMBA_KVNO_AND_KRBTGT(kvno, rodc_krbtgt_number);
+ current_kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
+ if (current_kvno > 1) {
+ old_kvno = current_kvno - 1;
+ }
+ if (current_kvno > 2) {
+ older_kvno = current_kvno - 2;
+ }
+ if (is_krbtgt) {
+ /*
+ * Even for the main krbtgt account
+ * we have to strictly split the kvno into
+ * two 16-bit parts and the upper 16-bit
+ * need to be all zero, even if
+ * the msDS-KeyVersionNumber has a value
+ * larger than 65535.
+ *
--
Samba Shared Repository
More information about the samba-cvs
mailing list