s4:kdc: Update Samba KDC plugin to match new Heimdal version

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 8120efd6af3f771d4966bcef1aa05d6a43c954bb..609423000770bd4ed2f92d2564ab6a7cb4281df1 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -240,7 +240,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 }
 
 static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
-                                            const krb5_principal delegated_proxy_principal,
+                                            const hdb_entry *delegated_proxy,
                                             const hdb_entry *client,
                                             const hdb_entry *server,
                                             const hdb_entry *krbtgt,
@@ -295,7 +295,7 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
                flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
        }
 
-       if (delegated_proxy_principal != NULL) {
+       if (delegated_proxy != NULL) {
                krb5_enctype etype;
                Key *key = NULL;
 
@@ -374,8 +374,9 @@ out:
 /* Resign (and reform, including possibly new groups) a PAC */
 
 static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
-                                          const krb5_principal _client_principal,
-                                          const krb5_principal delegated_proxy_principal,
+                                          krb5_const_principal _client_principal,
+                                          hdb_entry *delegated_proxy,
+                                          krb5_const_pac delegated_proxy_pac,
                                           hdb_entry *client,
                                           hdb_entry *server,
                                           hdb_entry *krbtgt,
@@ -384,6 +385,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
        krb5_context context = kdc_request_get_context((kdc_request_t)r);
        const hdb_entry *device = kdc_request_get_explicit_armor_client(r);
        const krb5_const_pac device_pac = kdc_request_get_explicit_armor_pac(r);
+       krb5_const_principal delegated_proxy_principal = NULL;
        struct samba_kdc_entry *client_skdc_entry = NULL;
        struct samba_kdc_entry *device_skdc_entry = NULL;
        const struct samba_kdc_entry *server_skdc_entry =
@@ -402,6 +404,10 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
                return ENOMEM;
        }
 
+       if (delegated_proxy != NULL) {
+               delegated_proxy_principal = delegated_proxy->principal;
+       }
+
        if (client != NULL) {
                client_skdc_entry = talloc_get_type_abort(client->context,
                                                          struct samba_kdc_entry);
@@ -477,8 +483,8 @@ out:
 /* Verify a PAC's SID and signatures */
 
 static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
-                                           const krb5_principal client_principal,
-                                           const krb5_principal delegated_proxy_principal,
+                                           krb5_const_principal _client_principal,
+                                           hdb_entry *delegated_proxy,
                                            hdb_entry *client,
                                            hdb_entry *server,
                                            hdb_entry *krbtgt,
@@ -499,16 +505,15 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
        krb5_const_pac explicit_armor_pac =
                kdc_request_get_explicit_armor_pac(r);
 
-       if (delegated_proxy_principal) {
+       if (delegated_proxy) {
                uint16_t rodc_id;
                unsigned int my_krbtgt_number;
 
                /*
-                * We're using delegated_proxy_principal for the moment to
-                * indicate cases where the ticket was encrypted with the server
-                * key, and not a krbtgt key. This cannot be trusted, so we need
-                * to find a krbtgt key that signs the PAC in order to trust the
-                * ticket.
+                * We're using delegated_proxy for the moment to indicate cases
+                * where the ticket was encrypted with the server key, and not a
+                * krbtgt key. This cannot be trusted, so we need to find a
+                * krbtgt key that signs the PAC in order to trust the ticket.
                 *
                 * The krbtgt passed in to this function refers to the krbtgt
                 * used to decrypt the ticket of the server requesting
@@ -618,7 +623,7 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
        }
 
        ret = samba_wdc_verify_pac2(r,
-                                   delegated_proxy_principal,
+                                   delegated_proxy,
                                    client,
                                    server,
                                    krbtgt,