From 12ce07e53b9453f35a1483d941bfce9c23f790a0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 30 Nov 2011 07:45:25 +1100 Subject: s4-kdc: Add hdb plugin for samba4, to allow kadmin to work This will help users who are used to the kadmin interface, and could be extended to import existing MIT or Heimdal keys into a Samba4 AD domain. To use, add to your krb5.conf [kdc] database = { dbname = samba4: } or [kdc] database = { dbname = samba4:/usr/local/samba/etc/smb.conf } And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104 --- source4/kdc/hdb-samba4-plugin.c | 84 +++++++++++++++++++++++++++++++++++ source4/kdc/hdb-samba4.c | 32 ------------- source4/kdc/kdc.c | 3 +- source4/kdc/samba_kdc.h | 2 + source4/kdc/wscript_build | 22 ++++++--- source4/libnet/libnet_export_keytab.c | 4 +- 6 files changed, 104 insertions(+), 43 deletions(-) create mode 100644 source4/kdc/hdb-samba4-plugin.c diff --git a/source4/kdc/hdb-samba4-plugin.c b/source4/kdc/hdb-samba4-plugin.c new file mode 100644 index 0000000000..568386d29a --- /dev/null +++ b/source4/kdc/hdb-samba4-plugin.c @@ -0,0 +1,84 @@ +/* + Unix SMB/CIFS implementation. + + KDC Server startup + + Copyright (C) Andrew Bartlett 2005-20011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "kdc/kdc-glue.h" +#include "kdc/db-glue.h" +#include "lib/util/samba_util.h" +#include "lib/param/param.h" +#include "source4/lib/events/events.h" + +static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg) +{ + NTSTATUS nt_status; + void *ptr; + struct samba_kdc_base_context *base_ctx; + + if (sscanf(arg, "&%p", &ptr) == 1) { + base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); + } else if (arg[0] == '\0' || file_exist(arg)) { + /* This mode for use in kadmin, rather than in Samba */ + + setup_logging("hdb_samba4", DEBUG_DEFAULT_STDERR); + + base_ctx = talloc_zero(NULL, struct samba_kdc_base_context); + if (!base_ctx) { + return ENOMEM; + } + + base_ctx->ev_ctx = s4_event_context_init(base_ctx); + base_ctx->lp_ctx = loadparm_init_global(false); + if (arg[0]) { + lpcfg_load(base_ctx->lp_ctx, arg); + } else { + lpcfg_load_default(base_ctx->lp_ctx); + } + } else { + return EINVAL; + } + + /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */ + nt_status = hdb_samba4_create_kdc(base_ctx, context, db); + + if (NT_STATUS_IS_OK(nt_status)) { + return 0; + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) { + + krb5_set_error_message(context, EINVAL, "Failed to open Samba4 LDB at %s", lpcfg_private_path(base_ctx, base_ctx->lp_ctx, "sam.ldb")); + } else { + krb5_set_error_message(context, EINVAL, "Failed to connect to Samba4 DB: %s (%s)", get_friendly_nt_error_msg(nt_status), nt_errstr(nt_status)); + } + + return EINVAL; +} + +/* Only used in the hdb-backed keytab code + * for a keytab of 'samba4&
' or samba4, to find + * kpasswd's key in the main DB, and to + * copy all the keys into a file (libnet_keytab_export) + * + * The
is the string form of a pointer to a talloced struct hdb_samba_context + */ +struct hdb_method hdb_samba4_interface = { + .interface_version = HDB_INTERFACE_VERSION, + .prefix = "samba4", + .create = hdb_samba4_create +}; diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index f82712e2b2..6a9e5587bf 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -218,35 +218,3 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, return NT_STATUS_OK; } - -static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg) -{ - NTSTATUS nt_status; - void *ptr; - struct samba_kdc_base_context *base_ctx; - - if (sscanf(arg, "&%p", &ptr) != 1) { - return EINVAL; - } - base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); - /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */ - nt_status = hdb_samba4_create_kdc(base_ctx, context, db); - - if (NT_STATUS_IS_OK(nt_status)) { - return 0; - } - return EINVAL; -} - -/* Only used in the hdb-backed keytab code - * for a keytab of 'samba4&
', to find - * kpasswd's key in the main DB, and to - * copy all the keys into a file (libnet_keytab_export) - * - * The
is the string form of a pointer to a talloced struct hdb_samba_context - */ -struct hdb_method hdb_samba4 = { - .interface_version = HDB_INTERFACE_VERSION, - .prefix = "samba4", - .create = hdb_samba4_create -}; diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 4e1e27c42b..9679144237 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -38,7 +38,6 @@ NTSTATUS server_service_kdc_init(void); extern struct krb5plugin_windc_ftable windc_plugin_table; -extern struct hdb_method hdb_samba4; static NTSTATUS kdc_proxy_unavailable_error(struct kdc_server *kdc, TALLOC_CTX *mem_ctx, @@ -1006,7 +1005,7 @@ static void kdc_task_init(struct task_server *task) ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context, PLUGIN_TYPE_DATA, "hdb", - &hdb_samba4); + &hdb_samba4_interface); if(ret) { task_server_terminate(task, "kdc: failed to register hdb plugin", true); return; diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index 3852955e45..1c3bb1687b 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -49,4 +49,6 @@ struct samba_kdc_entry { hdb_entry_ex *entry_ex; }; +extern struct hdb_method hdb_samba4_interface; + #endif /* _SAMBA_KDC_H_ */ diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index aec1cb28d9..6a6e4f2114 100644 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -9,12 +9,22 @@ bld.SAMBA_MODULE('service_kdc', ) -bld.SAMBA_SUBSYSTEM('HDB_SAMBA4', - source='hdb-samba4.c', - deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue samba-hostconfig com_err', - includes='../heimdal/kdc', - ) - +bld.SAMBA_LIBRARY('HDB_SAMBA4', + source='hdb-samba4.c hdb-samba4-plugin.c', + deps='ldb auth4_sam auth_sam_reply samba-credentials hdb db-glue samba-hostconfig com_err', + includes='../heimdal/kdc', + private_library=True + ) + +# A plugin for Heimdal's kadmin for users who need to operate that tool +bld.SAMBA_LIBRARY('HDB_SAMBA4_PLUGIN', + source='hdb-samba4-plugin.c', + deps='hdb HDB_SAMBA4 samba-util samba-hostconfig ', + includes='../heimdal/kdc', + link_name='modules/hdb/hdb_samba4.so', + realname='hdb_samba4.so', + install_path='${MODULESDIR}/hdb', + ) bld.SAMBA_SUBSYSTEM('WDC_SAMBA4', source='wdc-samba4.c', diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c index 2dae370b1a..593f5fd5d9 100644 --- a/source4/libnet/libnet_export_keytab.c +++ b/source4/libnet/libnet_export_keytab.c @@ -5,8 +5,6 @@ #include "kdc/samba_kdc.h" #include "libnet/libnet.h" -extern struct hdb_method hdb_samba4; - NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_export_keytab *r) { krb5_error_code ret; @@ -35,7 +33,7 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s ret = krb5_plugin_register(smb_krb5_context->krb5_context, PLUGIN_TYPE_DATA, "hdb", - &hdb_samba4); + &hdb_samba4_interface); if(ret) { return NT_STATUS_NO_MEMORY; } -- cgit