s4:kdc: Add function to get user_info_dc from database

The resulting user_info_dc is kept in the 'samba_kdc_entry' structure,
so it can be reused between calls.

This allows us to simplify samba_kdc_get_pac_blobs(), as it no longer
need to return a user_info_dc structure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index f8e0b24fd6e7942b554384dcae7eaa4a40f7951a..eef2a9dc4c040c5ddcfa49846e7ae37fb10034a4 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -37,6 +37,7 @@
 #include "kdc/sdb.h"
 #include "kdc/samba_kdc.h"
 #include "kdc/db-glue.h"
+#include "kdc/pac-glue.h"
 #include "librpc/gen_ndr/ndr_irpc_c.h"
 #include "lib/messaging/irpc.h"
 

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 2503dc5d612ca09904493564a98a884a06da618b..80e3523e9c4b28acbecb75181c307b0dc6743d12 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -511,8 +511,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                                            &upn_dns_info_blob,
                                            is_krbtgt ? &pac_attrs_blob : NULL,
                                            PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
-                                           is_krbtgt ? &requester_sid_blob : NULL,
-                                           NULL);
+                                           is_krbtgt ? &requester_sid_blob : NULL);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(tmp_ctx);
                if (NT_STATUS_EQUAL(nt_status,
@@ -968,18 +967,11 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
                return ENOMEM;
        }
 
-       status = authsam_make_user_info_dc(tmp_ctx,
-                                          ctx->db_ctx->samdb,
-                                          lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
-                                          lpcfg_sam_name(ctx->db_ctx->lp_ctx),
-                                          lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
-                                          p->realm_dn,
-                                          p->msg,
-                                          data_blob(NULL, 0),
-                                          data_blob(NULL, 0),
-                                          &user_info_dc);
+       status = samba_kdc_get_user_info_from_db(p,
+                                                p->msg,
+                                                &user_info_dc);
        if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
+               DEBUG(1,("samba_kdc_get_user_info_from_db failed: %s\n",
                        nt_errstr(status)));
                talloc_free(tmp_ctx);
                return EINVAL;

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index efeda9a998ca1cdea9cd514f7f08415296cc7fb4..5b0a454f34faa341514a1b85378d8673348f8831 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -828,10 +828,37 @@ int samba_krbtgt_is_in_db(struct samba_kdc_entry *p,
 }
 
 /*
- * We return not just the blobs, but also the user_info_dc because we
- * will need, in the RODC case, to confirm that the returned user is
- * permitted to be replicated to the KDC
+ * Look up the user's info in the database and create a auth_user_info_dc
+ * structure. If the resulting structure is not talloc_free()d, it will be
+ * reused on future calls to this function.
  */
+NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
+                                         struct ldb_message *msg,
+                                         struct auth_user_info_dc **user_info_dc)
+{
+       if (skdc_entry->user_info_dc == NULL) {
+               NTSTATUS nt_status;
+               struct loadparm_context *lp_ctx = skdc_entry->kdc_db_ctx->lp_ctx;
+
+               nt_status = authsam_make_user_info_dc(skdc_entry,
+                                                     skdc_entry->kdc_db_ctx->samdb,
+                                                     lpcfg_netbios_name(lp_ctx),
+                                                     lpcfg_sam_name(lp_ctx),
+                                                     lpcfg_sam_dnsname(lp_ctx),
+                                                     skdc_entry->realm_dn,
+                                                     msg,
+                                                     data_blob_null,
+                                                     data_blob_null,
+                                                     &skdc_entry->user_info_dc);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       return nt_status;
+               }
+       }
+
+       *user_info_dc = skdc_entry->user_info_dc;
+       return NT_STATUS_OK;
+}
+
 NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                 struct samba_kdc_entry *p,
                                 DATA_BLOB **_logon_info_blob,
@@ -839,10 +866,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                 DATA_BLOB **_upn_info_blob,
                                 DATA_BLOB **_pac_attrs_blob,
                                 uint64_t pac_attributes,
-                                DATA_BLOB **_requester_sid_blob,
-                                struct auth_user_info_dc **_user_info_dc)
+                                DATA_BLOB **_requester_sid_blob)
 {
-       struct auth_user_info_dc *user_info_dc;
+       struct auth_user_info_dc *user_info_dc = NULL;
        DATA_BLOB *logon_blob = NULL;
        DATA_BLOB *cred_blob = NULL;
        DATA_BLOB *upn_blob = NULL;
@@ -893,15 +919,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                }
        }
 
-       nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb,
-                                            lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx),
-                                            lpcfg_sam_name(p->kdc_db_ctx->lp_ctx),
-                                            lpcfg_sam_dnsname(p->kdc_db_ctx->lp_ctx),
-                                            p->realm_dn,
-                                            p->msg,
-                                            data_blob(NULL, 0),
-                                            data_blob(NULL, 0),
-                                            &user_info_dc);
+       nt_status = samba_kdc_get_user_info_from_db(p,
+                                                   p->msg,
+                                                   &user_info_dc);
        if (!NT_STATUS_IS_OK(nt_status)) {
                DEBUG(0, ("Getting user info for PAC failed: %s\n",
                          nt_errstr(nt_status)));
@@ -950,15 +970,6 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                }
        }
 
-       /*
-        * Return to the caller to allow a check on the allowed/denied
-        * RODC replication groups
-        */
-       if (_user_info_dc == NULL) {
-               TALLOC_FREE(user_info_dc);
-       } else {
-               *_user_info_dc = user_info_dc;
-       }
        *_logon_info_blob = logon_blob;
        if (_cred_ndr_blob != NULL) {
                *_cred_ndr_blob = cred_blob;
@@ -1473,8 +1484,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                                                    &upn_blob,
                                                    NULL,
                                                    PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
-                                                   &requester_sid_blob,
-                                                   &user_info_dc);
+                                                   &requester_sid_blob);
                if (!NT_STATUS_IS_OK(nt_status)) {
                        DBG_ERR("samba_kdc_get_pac_blobs failed: %s\n",
                                nt_errstr(nt_status));
@@ -1482,6 +1492,16 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                        goto done;
                }
 
+               nt_status = samba_kdc_get_user_info_from_db(client,
+                                                           client->msg,
+                                                           &user_info_dc);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
+                               nt_errstr(nt_status));
+                       code = KRB5KDC_ERR_TGT_REVOKED;
+                       goto done;
+               }
+
                /*
                 * Check if the SID list in the user_info_dc intersects
                 * correctly with the RODC allow/deny lists.

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 8c68a0455fd64dec4bb5740cdbe7cfc3a3f388a1..563214421c97d8d883b04ef843d918a3f0423590 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -55,6 +55,10 @@ int samba_krbtgt_is_in_db(struct samba_kdc_entry *skdc_entry,
                          bool *is_in_db,
                          bool *is_untrusted);
 
+NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
+                                        struct ldb_message *msg,
+                                        struct auth_user_info_dc **user_info_dc);
+
 NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                 struct samba_kdc_entry *skdc_entry,
                                 DATA_BLOB **_logon_info_blob,
@@ -62,8 +66,7 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                 DATA_BLOB **_upn_info_blob,
                                 DATA_BLOB **_pac_attrs_blob,
                                 uint64_t pac_attributes,
-                                DATA_BLOB **_requester_sid_blob,
-                                struct auth_user_info_dc **_user_info_dc);
+                                DATA_BLOB **_requester_sid_blob);
 NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
                                   krb5_context context,
                                   struct ldb_context *samdb,

diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 9b16fcc3b92c832f96d99d6df35f687535e37b5e..52f8d4a4221c7b7de1b0bcf832dcf73d20c37b0e 100644 (file)
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -56,6 +56,7 @@ struct samba_kdc_entry {
        struct samba_kdc_db_context *kdc_db_ctx;
        struct ldb_message *msg;
        struct ldb_dn *realm_dn;
+       struct auth_user_info_dc *user_info_dc;
        bool is_krbtgt;
        bool is_rodc;
        bool is_trust;

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index d1a9a0967090d28d028853e5d29c4fc12964ebe5..2f207e4c44106528053e345dbea71d1d812c208d 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -78,8 +78,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
                                            &upn_blob,
                                            is_krbtgt ? &pac_attrs_blob : NULL,
                                            pac_attributes,
-                                           is_krbtgt ? &requester_sid_blob : NULL,
-                                           NULL);
+                                           is_krbtgt ? &requester_sid_blob : NULL);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(mem_ctx);
                return EINVAL;

diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 26a68e9c37c400041b0d08930ecc18715d66c623..5c16e68ee0a61b38858a43cc54260c738e32d5ee 100644 (file)
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -134,7 +134,7 @@ bld.SAMBA_LIBRARY('pac',
 
 bld.SAMBA_LIBRARY('db-glue',
        source='db-glue.c',
-       deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING',
+       deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING PAC_GLUE',
        private_library=True,
        )