diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-09-29 09:06:39 +1000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2010-09-28 19:25:50 -0700 |
| commit | 3d4576b170d92f97018076faf0ed914cf2fdd01b (patch) | |
| tree | dd4668a5f92b66b6d9e36b158373d032eb176166 /source4/kdc | |
| parent | f84bdf91d865ab176dcc0d829944821b89b88074 (diff) | |
| download | samba-3d4576b170d92f97018076faf0ed914cf2fdd01b.tar.gz samba-3d4576b170d92f97018076faf0ed914cf2fdd01b.tar.xz samba-3d4576b170d92f97018076faf0ed914cf2fdd01b.zip | |
s4-kdc Ensure that an RODC may act as a server (needed to fill
the krbtgt role).
Andrew Bartlett
Diffstat (limited to 'source4/kdc')
| -rw-r--r-- | source4/kdc/db-glue.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index ecb160caf3..cf7e4e460f 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -196,6 +196,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, TALLOC_CTX *mem_ctx, struct ldb_message *msg, uint32_t rid, + bool is_rodc, unsigned int userAccountControl, enum samba_kdc_ent_type ent_type, hdb_entry_ex *entry_ex) @@ -213,7 +214,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, uint16_t i; uint16_t allocated_keys = 0; int rodc_krbtgt_number = 0; - bool is_rodc = false; /* Supported Enc for this entry */ uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */ @@ -229,9 +229,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, supported_enctypes); /* Is this the krbtgt or a RODC */ - if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) { - is_rodc = true; - + if (is_rodc) { rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); if (rodc_krbtgt_number == -1) { @@ -541,12 +539,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, NTSTATUS status; uint32_t rid; + bool is_rodc = false; struct ldb_message_element *objectclasses; struct ldb_val computer_val; const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); computer_val.data = discard_const_p(uint8_t,"computer"); computer_val.length = strlen((const char *)computer_val.data); + if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) { + is_rodc = true; + } + if (!samAccountName) { ret = ENOENT; krb5_set_error_message(context, ret, "samba_kdc_message2entry: no samAccountName present"); @@ -686,6 +689,22 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, entry_ex->entry.flags.client = 0; entry_ex->entry.flags.forwardable = 1; entry_ex->entry.flags.ok_as_delegate = 1; + } else if (is_rodc) { + /* The RODC krbtgt account is like the main krbtgt, + * but it does not have a changepw or kadmin + * service */ + + entry_ex->entry.valid_end = NULL; + entry_ex->entry.pw_end = NULL; + + /* Also don't allow the RODC krbtgt to be a client (it should not be needed) */ + entry_ex->entry.flags.client = 0; + entry_ex->entry.flags.invalid = 0; + entry_ex->entry.flags.server = 1; + + entry_ex->entry.flags.client = 0; + entry_ex->entry.flags.forwardable = 0; + entry_ex->entry.flags.ok_as_delegate = 0; } else if (entry_ex->entry.flags.server && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) { /* The account/password expiry only applies when the account is used as a * client (ie password login), not when used as a server */ @@ -735,7 +754,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* Get keys from the db */ ret = samba_kdc_message2entry_keys(context, p, msg, - rid, userAccountControl, + rid, is_rodc, userAccountControl, ent_type, entry_ex); if (ret) { /* Could be bougus data in the entry, or out of memory */ |