s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure

Our KDC plugin can use this to store NTSTATUS codes that can be added to
the final KDC reply later.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index d6bd91302649885f2b93a66299c4d9e21fe1ac33..12dd746ad1841bf0af924150e53fef29811b5193 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -531,6 +531,45 @@ static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
        TALLOC_FREE(subreq);
 }
 
+#define SAMBA_HDB_NT_STATUS_OBJ "samba:nt_status_obj"
+#define SAMBA_HDB_NT_STATUS "samba:nt_status"
+
+struct hdb_ntstatus_obj {
+       NTSTATUS status;
+       krb5_error_code current_error;
+};
+
+/*
+ * Add an NTSTATUS code to a Kerberos request. ‘error’ is the error value we
+ * want to return to the client. When it comes time to generating the error
+ * request, we shall compare this error value to whatever error we are about to
+ * return; if the two match, we shall replace the ‘e-data’ field in the reply
+ * with the NTSTATUS code.
+ */
+krb5_error_code hdb_samba4_set_ntstatus(astgs_request_t r,
+                                       const NTSTATUS status,
+                                       const krb5_error_code error)
+{
+       struct hdb_ntstatus_obj *status_obj = NULL;
+
+       status_obj = kdc_object_alloc(sizeof (*status_obj),
+                                     SAMBA_HDB_NT_STATUS_OBJ,
+                                     NULL);
+       if (status_obj == NULL) {
+               return ENOMEM;
+       }
+
+       *status_obj = (struct hdb_ntstatus_obj) {
+               .status = status,
+               .current_error = error,
+       };
+
+       heim_audit_setkv_object((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS, status_obj);
+       heim_release(status_obj);
+
+       return 0;
+}
+
 static krb5_error_code hdb_samba4_audit(krb5_context context,
                                        HDB *db,
                                        hdb_entry *entry,

diff --git a/source4/kdc/kdc-glue.h b/source4/kdc/kdc-glue.h
index 7a0184c40217f23735ed91de531d046032294609..d5c548450d3a102ac11e6c6e4222566a2390614d 100644 (file)
--- a/source4/kdc/kdc-glue.h
+++ b/source4/kdc/kdc-glue.h
@@ -49,6 +49,10 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
 NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
                                       krb5_context context, struct HDB **db);
 
+krb5_error_code hdb_samba4_set_ntstatus(astgs_request_t r,
+                                       NTSTATUS status,
+                                       krb5_error_code error);
+
 /* from kdc-glue.c */
 int kdc_check_pac(krb5_context krb5_context,
                  DATA_BLOB server_sig,