r12179: Allow our KDC to use LDAP to get to the backend database.

To avoid a circular depenency, it is not allowed to use Krb5 as an
authentication mechanism, so this must be removed from the list.  An
extension to the credentials system allows this function.

Also remove proto.h use for any of the KDC, and use NTSTATUS returns
in more places.

Andrew Bartlett

7 files changed, 100 insertions, 26 deletions

diff --git a/source/auth/credentials/credentials_gensec.c b/source/auth/credentials/credentials_gensec.c
index 077e4689ec0..fcaa760ed4c 100644
--- a/source/auth/credentials/credentials_gensec.c
+++ b/source/auth/credentials/credentials_gensec.c
@@ -24,8 +24,53 @@
 
 const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) 
 {
-	if (!creds->gensec_list) {
+	if (!creds || !creds->gensec_list) {
 		return gensec_security_all();
 	}
 	return creds->gensec_list;
 }
+
+static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds,
+						   const struct gensec_security_ops *remove_mech) 
+{
+	const struct gensec_security_ops **gensec_list;
+	const struct gensec_security_ops **new_gensec_list;
+	int i, j;
+
+	gensec_list = cli_credentials_gensec_list(creds);
+
+	for (i=0; gensec_list && gensec_list[i]; i++) {
+		/* noop */
+	}
+
+	new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1);
+	if (!new_gensec_list) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	j = 0;
+	for (i=0; gensec_list && gensec_list[i]; i++) {
+		if (gensec_list[i] != remove_mech) {
+			new_gensec_list[j] = gensec_list[i];
+			j++;
+		}
+	}
+	new_gensec_list[j] = NULL; 
+	
+	creds->gensec_list = new_gensec_list;
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds,
+					   const char *oid) 
+{
+	const struct gensec_security_ops *gensec_by_oid;
+
+	gensec_by_oid = gensec_security_by_oid(NULL, oid);
+	if (!gensec_by_oid) {
+		return NT_STATUS_OK;
+	}
+
+	return cli_credentials_gensec_remove_mech(creds, gensec_by_oid);
+}
diff --git a/source/auth/gensec/gensec.c b/source/auth/gensec/gensec.c
index 0d79cb892cb..26f245787be 100644
--- a/source/auth/gensec/gensec.c
+++ b/source/auth/gensec/gensec.c
@@ -53,8 +53,8 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
 	return NULL;
 }
 
-static const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
-								const char *oid_string)
+const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security *gensec_security,
+							 const char *oid_string)
 {
 	int i, j;
 	const struct gensec_security_ops **backends;
@@ -805,6 +805,9 @@ NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct
 
 struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security) 
 {
+	if (!gensec_security) {
+		return NULL;
+	}
 	return gensec_security->credentials;
 }
 
diff --git a/source/kdc/config.mk b/source/kdc/config.mk
index 9e07ecab19a..ef14f838938 100644
--- a/source/kdc/config.mk
+++ b/source/kdc/config.mk
@@ -3,6 +3,7 @@
 #######################
 # Start SUBSYSTEM KDC
 [SUBSYSTEM::KDC]
+NOPROTO = YES
 INIT_OBJ_FILES = \
 		kdc.o \
 		pac-glue.o \
diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index e9c1855a100..9b1d673764b 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -40,6 +40,7 @@
 #include "lib/ldb/include/ldb_errors.h"
 #include "system/iconv.h"
 #include "librpc/gen_ndr/netlogon.h"
+#include "auth/auth.h"
 
 enum hdb_ldb_ent_type 
 { HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, 
@@ -588,7 +589,8 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
 		talloc_free(res);
 		return HDB_ERR_NOENTRY;
 	}
-	*pmsg = talloc_steal(mem_ctx, res->msgs);
+	talloc_steal(mem_ctx, res->msgs);
+	*pmsg = res->msgs;
 	talloc_free(res);
 	return 0;
 }
@@ -680,7 +682,7 @@ static krb5_error_code LDB_fetch_ex(krb5_context context, HDB *db, unsigned flag
 
 	const char *realm;
 	const struct ldb_dn *realm_dn;
-	TALLOC_CTX *mem_ctx = talloc_named(NULL, 0, "LDB_fetch context");
+	TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context");
 
 	if (!mem_ctx) {
 		krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
@@ -1037,25 +1039,44 @@ static krb5_error_code LDB_destroy(krb5_context context, HDB *db)
 	return 0;
 }
 
-krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, 
-			       krb5_context context, struct HDB **db, const char *arg)
+NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			krb5_context context, struct HDB **db, const char *arg)
 {
+	NTSTATUS nt_status;
+	struct auth_session_info *session_info;
 	*db = talloc(mem_ctx, HDB);
 	if (!*db) {
 		krb5_set_error_string(context, "malloc: out of memory");
-		return ENOMEM;
+		return NT_STATUS_NO_MEMORY;
 	}
 
 	(*db)->hdb_master_key_set = 0;
 	(*db)->hdb_db = NULL;
 
+	nt_status = auth_system_session_info(*db, &session_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+	
+	/* The idea here is very simple.  Using Kerberos to
+	 * authenticate the KDC to the LDAP server is higly likely to
+	 * be circular.
+	 *
+	 * In future we may set this up to use EXERNAL and SSL
+	 * certificates, for now it will almost certainly be NTLMSSP
+	*/
+	
+	nt_status = cli_credentials_gensec_remove_oid(session_info->credentials, 
+						      GENSEC_OID_KERBEROS5);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+
 	/* Setup the link to LDB */
-	(*db)->hdb_db = samdb_connect(*db, system_session(db));
+	(*db)->hdb_db = samdb_connect(*db, session_info);
 	if ((*db)->hdb_db == NULL) {
-		krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!");
-		krb5_set_error_string(context, "samdb_connect failed!");
-		talloc_free(*db);
-		return HDB_ERR_NOENTRY;
+		DEBUG(1, ("hdb_ldb_create: Cannot open samdb for KDC backend!"));
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
 	(*db)->hdb_openp = 0;
@@ -1077,5 +1098,5 @@ krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
 	(*db)->hdb__del = NULL;
 	(*db)->hdb_destroy = LDB_destroy;
 
-	return 0;
+	return NT_STATUS_OK;
 }
diff --git a/source/kdc/kdc.c b/source/kdc/kdc.c
index bcf7ed968ca..7e165ae3491 100644
--- a/source/kdc/kdc.c
+++ b/source/kdc/kdc.c
@@ -564,12 +564,10 @@ static void kdc_task_init(struct task_server *task)
 	}
 	kdc->config->num_db = 1;
 		
-	ret = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, 
-			     &kdc->config->db[0], NULL);
-	if (ret != 0) {
-		DEBUG(1, ("kdc_task_init: hdb_ldb_create fails: %s\n", 
-			  smb_get_krb5_error_message(kdc->smb_krb5_context->krb5_context, ret, kdc))); 
-		task_server_terminate(task, "kdc: hdb_ldb_create failed");
+	status = hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context, 
+				   &kdc->config->db[0], NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
 		return; 
 	}
 
diff --git a/source/kdc/kdc.h b/source/kdc/kdc.h
index 99c419d4d9c..0cf3199c522 100644
--- a/source/kdc/kdc.h
+++ b/source/kdc/kdc.h
@@ -27,8 +27,14 @@
 #include "heimdal/lib/hdb/hdb.h"
 #include "kdc/pac-glue.h"
 
-krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx, 
-			       krb5_context context, struct HDB **db, const char *arg);
+NTSTATUS hdb_ldb_create(TALLOC_CTX *mem_ctx, 
+			krb5_context context, struct HDB **db, const char *arg);
+BOOL kpasswdd_process(struct kdc_server *kdc,
+		      TALLOC_CTX *mem_ctx, 
+		      DATA_BLOB *input, 
+		      DATA_BLOB *reply,
+		      const char *from,
+		      int src_port);
 
 /*
   top level context structure for the kdc server
diff --git a/source/kdc/pac-glue.c b/source/kdc/pac-glue.c
index bd4d3e6a2fe..79e7b3c5a76 100644
--- a/source/kdc/pac-glue.c
+++ b/source/kdc/pac-glue.c
@@ -81,7 +81,7 @@ static krb5_error_code samba_get_pac(krb5_context context,
 }
 
 /* Wrap the PAC in the right ASN.1.  Will always free 'pac', on success or failure */
-krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out) 
+static krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out) 
 {
 	krb5_error_code ret;
 
@@ -144,7 +144,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
    set, or if they specificaly asked not to get it.
 */
 
- krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
+krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
 					   METHOD_DATA* pa_data_seq,
 					   time_t authtime,
 					   EncryptionKey *tgtkey,
@@ -204,7 +204,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
 
 /* Resign (and reform, including possibly new groups) a PAC */
 
- krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
+krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex, 
 					    krb5_principal client, 
 					    AuthorizationData *in, 
 					    time_t authtime,
@@ -316,7 +316,7 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData
 /* Given an hdb entry (and in particular it's private member), consult
  * the account_ok routine in auth/auth_sam.c for consistancy */
 
- krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex, 
+krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex, 
 					    HostAddresses *addresses)
 {
 	krb5_error_code ret;