7 files changed, 100 insertions, 26 deletions

diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c
index 077e4689ec..fcaa760ed4 100644
--- a/source4/auth/credentials/credentials_gensec.c
+++ b/source4/auth/credentials/credentials_gensec.c
@@ -24,8 +24,53 @@
 
 const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) 
 {
-	if (!creds->gensec_list) {
+	if (!creds || !creds->gensec_list) {
 		return gensec_security_all();
 	}
 	return creds->gensec_list;
 }
+
+static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds,
+						   const struct gensec_security_ops *remove_mech) 
+{
+	const struct gensec_security_ops **gensec_list;
+	const struct gensec_security_ops **new_gensec_list;
+	int i, j;
+
+	gensec_list = cli_credentials_gensec_list(creds);
+
+	for (i=0; gensec_list && gensec_list[i]; i++) {
+		/* noop */
+	}
+
+	new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1);
+	if (!new_gensec_list) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	j = 0;
+	for (i=0; gensec_list && gensec_list[i]; i++) {
+		if (gensec_list[i] != remove_mech) {
+			new_gensec_list[j] = gensec_list[i];
+			j++;
+		}
+	}
+	new_gensec_list[j] = NULL; 
+	
+	creds->gensec_list = new_gensec_list;
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds,
+					   const char *oid) 
+{
+	const struct gensec_security_ops *gensec_by_oid;
+
+	gensec_by_oid = gensec_security_by_oid(NULL, oid);
+	if (!gensec_by_oid) {
+		return NT_STATUS_OK;
+	}
+
+	return cli_credentials_gensec_remove_mech(creds, gensec_by_oid);
+}
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 0d79cb892c..26f245787b 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -53,8 +53,8 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
 	return NULL;
 }
 
-static const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
-								const char *oid_string)
+const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
+							 const char *oid_string)
 {
 	int i, j;
 	const struct gensec_security_ops **backends;
@@ -805,6 +805,9 @@ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct
 
 struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) 
 {
+	if (!gensec_security) {
+		return NULL;
+	}
 	return gensec_security->credentials;
 }
 
diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk
index 9e07ecab19..ef14f83893 100644
--- a/source4/kdc/config.mk
+++ b/source4/kdc/config.mk
@@ -3,6 +3,7 @@
 #######################
 # Start SUBSYSTEM KDC
 [SUBSYSTEM::KDC]
+NOPROTO = YES
 INIT_OBJ_FILES = \
 		kdc.o \
 		pac-glue.o \
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index e9c1855a10..9b1d673764 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -40,6 +40,7 @@
 #include "lib/ldb/include/ldb_errors.h"
 #include "system/iconv.h"
 #include "librpc/gen_ndr/netlogon.h"
+#include "auth/auth.h"
 
 enum hdb_ldb_ent_type 
 { HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, 
@@ -588,7 +589,8 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
 		talloc_free(res);
 		return HDB_ERR_NOENTRY;
 	}
-	*pmsg = talloc_steal(mem_ctx, res->msgs);
+	talloc_steal(mem_ctx, res->msgs);
+	*pmsg = res->msgs;
 	talloc_free(res);
 	return 0;
 }
@@ -680,7 +682,7 @@ static krb5_error_code LDB_fetch_ex(krb5_context context, HDB *db, unsigned flag
 
 	const char *realm;
 	const struct ldb_dn *realm_dn;
-	TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "LDB_fetch context");
+	TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context");
 
 	if (!mem_ctx) {
 		krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
@@ -1037,25 +1039,44 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
 	return 0;
 }
 
-krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, 
-			       krb5_context context, struct HDB **db, const char *arg)
+NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			krb5_context context, struct HDB **db, const char *arg)
 {
+	NTSTATUS nt_status;
+	struct auth_session_info *session_info;
 	*db = talloc(mem_ctx, HDB);
 	if (!*db) {
 		krb5_set_error_string(context, "malloc: out of memory");
-		return ENOMEM;
+		return NT_STATUS_NO_MEMORY;
 	}
 
 	(*db)->hdb_master_key_set = 0;
 	(*db)->hdb_db = NULL;
 
+	nt_status = auth_system_session_info(*db, &session_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+	
+	/* The idea here is very simple.  Using Kerberos to
+	 * authenticate the KDC to the LDAP server is higly likely to
+	 * be circular.
+	 *
+	 * In future we may set this up to use EXERNAL and SSL
+	 * certificates, for now it will almost certainly be NTLMSSP
+	*/
+	
+	nt_status = cli_credentials_gensec_remove_oid(session_info->credentials, 
+						      GENSEC_OID_KERBEROS5);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+
 	/* Setup the link to LDB */
-	(*db)->hdb_db = samdb_connect(*db, system_session(db));
+	(*db)->hdb_db = samdb_connect(*db, session_info);
 	if ((*db)->hdb_db == NULL) {
-		krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!");
-		krb5_set_error_string(context, "samdb_connect failed!");
-		talloc_free(*db);
-		return HDB_ERR_NOENTRY;
+		DEBUG(1, ("hdb_ldb_create: Cannot open samdb for KDC backend!"));
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
 	(*db)->hdb_openp = 0;
@@ -1077,5 +1098,5 @@ krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
 	(*db)->hdb__del = NULL;
 	(*db)->hdb_destroy = LDB_destroy;
 
-	return 0;
+	return NT_STATUS_OK;
 }
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index bcf7ed968c..7e165ae349 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -564,12 +564,10 @@ static void kdc_task_init(struct task_server *task)
 	}
 	kdc->config->num_db = 1;
 		
-	ret = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, 
-			     &kdc->config->db[0], NULL);
-	if (ret != 0) {
-		DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n", 
-			  smb_get_krb5_error_message(kdc->smb_krb5_context->krb5_context, ret, kdc))); 
-		task_server_terminate(task, "kdc: hdb_ldb_create failed");
+	status = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, 
+				   &kdc->config->db[0], NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
 		return; 
 	}
 
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 99c419d4d9..0cf3199c52 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -27,8 +27,14 @@
 #include "heimdal/lib/hdb/hdb.h"
 #include "kdc/pac-glue.h"
 
-krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, 
-			       krb5_context context, struct HDB **db, const char *arg);
+NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			krb5_context context, struct HDB **db, const char *arg);
+BOOL kpasswdd_process(struct kdc_server *kdc,
+		      TALLOC_CTX *mem_ctx, 
+		      DATA_BLOB *input, 
+		      DATA_BLOB *reply,
+		      const char *from,
+		      int src_port);
 
 /*
   top level context structure for the kdc server
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index bd4d3e6a2f..79e7b3c5a7 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -81,7 +81,7 @@ static krb5_error_code samba_get_pac(krb5_context context,
 }
 
 /* Wrap the PAC in the right ASN.1.  Will always free 'pac', on success or failure */
-krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out) 
+static krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out) 
 {
 	krb5_error_code ret;
 
@@ -144,7 +144,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
    set, or if they specificaly asked not to get it.
 */
 
- krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
+krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
 					   METHOD_DATA* pa_data_seq,
 					   time_t authtime,
 					   EncryptionKey *tgtkey,
@@ -204,7 +204,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
 
 /* Resign (and reform, including possibly new groups) a PAC */
 
- krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
+krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
 					    krb5_principal client, 
 					    AuthorizationData *in, 
 					    time_t authtime,
@@ -316,7 +316,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
 /* Given an hdb entry (and in particular it's private member), consult
  * the account_ok routine in auth/auth_sam.c for consistancy */
 
- krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex, 
+krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex, 
 					    HostAddresses *addresses)
 {
 	krb5_error_code ret;