s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB

This overloads the 'name' part of the keytab name to supply a context
pointer, and so avoids 3 global variables!

To do this, we had to stop putting the entry for kpasswd into the
secrets.ldb.  (I don't consider this a big loss, and any entry left
there by an upgrade will be harmless).

Andrew Bartlett

1 files changed, 9 insertions, 3 deletions

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 8f2cb681298..3a393485785 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -447,7 +447,9 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	struct cli_credentials *server_credentials;
 	struct gensec_security *gensec_security;
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-	
+
+	char *keytab_name;
+
 	if (!tmp_ctx) {
 		return false;
 	}
@@ -489,8 +491,12 @@ bool kpasswdd_process(struct kdc_server *kdc,
 	 * we already have, rather than a new context */	
 	cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
 	cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
-	nt_status = cli_credentials_set_stored_principal(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, "kadmin/changepw");
-	if (!NT_STATUS_IS_OK(nt_status)) {
+
+	keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->hdb_samba4_context);
+
+	cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
+	ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
+	if (ret != 0) {
 		ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, 
 						       KRB5_KPASSWD_HARDERROR,
 						       talloc_asprintf(mem_ctx,