From: Stefan Metzmacher Date: Mon, 2 Dec 2024 13:45:18 +0000 (+0100) Subject: s4:kdc: pass the full samba_kdc_db_context to most helper functions X-Git-Tag: tevent-0.17.0~767 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e4095b45c0fd0a5c44d10620ac679ea5833ff96;p=thirdparty%2Fsamba.git s4:kdc: pass the full samba_kdc_db_context to most helper functions Signed-off-by: Stefan Metzmacher Reviewed-by: Jennifer Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Feb 14 15:19:24 UTC 2025 on atb-devel-224 --- diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 9fad9934058..71bb83e7398 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1645,7 +1645,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * they may fail to authenticate. */ ret = samba_kdc_get_user_info_from_db(tmp_ctx, - kdc_db_ctx->samdb, + kdc_db_ctx, p, msg, &user_info_dc); diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 33b2522d4c9..eb8cd9686cd 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -359,7 +359,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, code = samba_kdc_get_user_info_dc(mem_ctx, context, - kdc_db_ctx->samdb, + kdc_db_ctx, client_pac_entry, &client_info, NULL /* resource_groups_out */); @@ -369,7 +369,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, code = samba_kdc_get_claims_data(mem_ctx, context, - kdc_db_ctx->samdb, + kdc_db_ctx, client_pac_entry, &auth_claims.user_claims); if (code) { @@ -395,7 +395,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, code = samba_kdc_get_user_info_dc(mem_ctx, context, - kdc_db_ctx->samdb, + kdc_db_ctx, device_pac_entry, &device_info, NULL /* resource_groups_out */); @@ -405,7 +405,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, code = samba_kdc_get_claims_data(mem_ctx, context, - kdc_db_ctx->samdb, + kdc_db_ctx, device_pac_entry, &auth_claims.device_claims); if (code) { diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index e6aa94aee37..72dc60bbdb6 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -516,7 +516,7 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx, } code = samba_kdc_get_user_info_from_db(tmp_ctx, - server_entry->kdc_db_ctx->samdb, + server_entry->kdc_db_ctx, skdc_entry, skdc_entry->msg, &user_info_dc); @@ -722,7 +722,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, code = samba_kdc_verify_pac(tmp_ctx, context, - krbtgt_skdc_entry->kdc_db_ctx->samdb, + krbtgt_skdc_entry->kdc_db_ctx, flags, client_pac_entry, krbtgt_skdc_entry); @@ -732,8 +732,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, code = samba_kdc_update_pac(tmp_ctx, context, - krbtgt_skdc_entry->kdc_db_ctx->samdb, - krbtgt_skdc_entry->kdc_db_ctx->lp_ctx, + krbtgt_skdc_entry->kdc_db_ctx, flags, client_pac_entry, server->princ, @@ -1006,7 +1005,7 @@ krb5_error_code mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, } code = samba_kdc_get_user_info_from_db(tmp_ctx, - ctx->db_ctx->samdb, + ctx->db_ctx, p, p->msg, &user_info_dc); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 2f21d7addbc..644cc526318 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -1117,14 +1117,14 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx, } krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, struct samba_kdc_entry *entry, const struct ldb_message *msg, const struct auth_user_info_dc **info_out) { NTSTATUS nt_status; - if (samdb == NULL) { + if (kdc_db_ctx == NULL) { return EINVAL; } @@ -1144,10 +1144,10 @@ krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, if (entry->info_from_db == NULL) { struct auth_user_info_dc *info_from_db = NULL; - struct loadparm_context *lp_ctx = entry->kdc_db_ctx->lp_ctx; + struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; nt_status = authsam_make_user_info_dc(entry, - samdb, + kdc_db_ctx->samdb, lpcfg_netbios_name(lp_ctx), lpcfg_sam_name(lp_ctx), lpcfg_sam_dnsname(lp_ctx), @@ -1227,12 +1227,13 @@ out: static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry_pac entry, const struct auth_user_info_dc **info_out, const struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out) { TALLOC_CTX *frame = NULL; + struct ldb_context *samdb = kdc_db_ctx->samdb; struct auth_user_info_dc *info = NULL; struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL; krb5_error_code ret = 0; @@ -1323,7 +1324,7 @@ out: krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry_pac entry, const struct auth_user_info_dc **info_out, const struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out) @@ -1342,7 +1343,7 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx, if (samba_krb5_pac_is_trusted(entry)) { return samba_kdc_get_user_info_from_pac(mem_ctx, context, - samdb, + kdc_db_ctx, entry, info_out, resource_groups_out); @@ -1363,7 +1364,7 @@ krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx, * here. */ ret = samba_kdc_get_user_info_from_db(mem_ctx, - samdb, + kdc_db_ctx, entry.entry, entry.entry->msg, &info); @@ -1782,8 +1783,7 @@ static WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids, * reference to it. */ krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx, - struct ldb_context *samdb, - struct loadparm_context *lp_ctx, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry *client, const struct auth_user_info_dc *client_info, const struct auth_user_info_dc *device_info, @@ -1792,6 +1792,8 @@ krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx, struct authn_audit_info **server_audit_info_out, NTSTATUS *status_out) { + struct ldb_context *samdb = kdc_db_ctx->samdb; + struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; krb5_error_code ret = 0; NTSTATUS status; _UNUSED_ NTSTATUS _status; @@ -2060,7 +2062,7 @@ static krb5_error_code samba_kdc_get_device_info_pac_blob(TALLOC_CTX *mem_ctx, static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry_pac device, DATA_BLOB **device_info_blob) { @@ -2078,7 +2080,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, code = samba_kdc_get_user_info_dc(frame, context, - samdb, + kdc_db_ctx, device, &device_info, NULL /* resource_groups_out */); @@ -2139,7 +2141,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, */ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, uint32_t flags, const struct samba_kdc_entry_pac client, const struct samba_kdc_entry *krbtgt) @@ -2178,7 +2180,7 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, } code = samba_kdc_get_user_info_from_db(tmp_ctx, - samdb, + kdc_db_ctx, client.entry, client.entry->msg, &user_info_dc); @@ -2325,8 +2327,7 @@ done: */ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, - struct loadparm_context *lp_ctx, + struct samba_kdc_db_context *kdc_db_ctx, uint32_t flags, const struct samba_kdc_entry_pac client, const krb5_const_principal server_principal, @@ -2405,7 +2406,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, */ code = samba_kdc_get_claims_data(tmp_ctx, context, - samdb, + kdc_db_ctx, device, &auth_claims.device_claims); if (code) { @@ -2427,7 +2428,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, code = samba_kdc_get_device_info_blob(tmp_ctx, context, - samdb, + kdc_db_ctx, device, &device_info_blob); if (code != 0) { @@ -2465,7 +2466,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, */ code = samba_kdc_get_user_info_dc(tmp_ctx, context, - samdb, + kdc_db_ctx, client, &user_info_dc_const, is_tgs ? &_resource_groups : NULL); @@ -2492,7 +2493,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, code = samba_kdc_get_user_info_dc(tmp_ctx, context, - samdb, + kdc_db_ctx, delegated_proxy, &auth_user_info_dc, NULL /* resource_groups_out */); @@ -2507,7 +2508,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, /* Fetch the user’s claims. */ code = samba_kdc_get_claims_data(tmp_ctx, context, - samdb, + kdc_db_ctx, auth_entry, &auth_claims.user_claims); if (code) { @@ -2517,7 +2518,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, if (device.entry != NULL) { code = samba_kdc_get_user_info_dc(tmp_ctx, context, - samdb, + kdc_db_ctx, device, &device_info, NULL /* resource_groups_out */); @@ -2531,8 +2532,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, * mem_ctx, not the temporary context. */ code = samba_kdc_allowed_to_authenticate_to(mem_ctx, - samdb, - lp_ctx, + kdc_db_ctx, auth_entry.entry, auth_user_info_dc, device_info, @@ -2843,7 +2843,7 @@ done: krb5_error_code samba_kdc_get_claims_data(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, struct samba_kdc_entry_pac entry, struct claims_data **claims_data_out) { @@ -2871,7 +2871,7 @@ krb5_error_code samba_kdc_get_claims_data(TALLOC_CTX *mem_ctx, claims_data_out); } - return samba_kdc_get_claims_data_from_db(samdb, + return samba_kdc_get_claims_data_from_db(kdc_db_ctx->samdb, entry.entry, claims_data_out); } @@ -3020,14 +3020,15 @@ out: krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, - struct loadparm_context *lp_ctx, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry_pac device, const struct authn_kerberos_client_policy *client_policy, struct authn_audit_info **client_audit_info_out, NTSTATUS *status_out) { TALLOC_CTX *frame = NULL; + struct ldb_context *samdb = kdc_db_ctx->samdb; + struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; krb5_error_code code = 0; NTSTATUS nt_status; const struct auth_user_info_dc *device_info = NULL; @@ -3072,7 +3073,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, code = samba_kdc_get_user_info_dc(frame, context, - samdb, + kdc_db_ctx, device, &device_info, NULL); @@ -3086,7 +3087,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, */ code = samba_kdc_get_claims_data(frame, context, - samdb, + kdc_db_ctx, device, &auth_claims.user_claims); if (code) { diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 3a1a99708a8..974801df0e3 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -100,13 +100,13 @@ krb5_error_code samba_krbtgt_is_in_db(const struct samba_kdc_entry *skdc_entry, krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry_pac entry, const struct auth_user_info_dc **info_out, const struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out); krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, struct samba_kdc_entry *entry, const struct ldb_message *msg, const struct auth_user_info_dc **info_out); @@ -120,7 +120,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry, krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, uint32_t flags, const struct samba_kdc_entry_pac client, const struct samba_kdc_entry *krbtgt); @@ -128,8 +128,7 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, struct authn_audit_info; krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, - struct loadparm_context *lp_ctx, + struct samba_kdc_db_context *kdc_db_ctx, uint32_t flags, const struct samba_kdc_entry_pac client, const krb5_const_principal server_principal, @@ -162,8 +161,7 @@ NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx, const DATA_BLOB **_claims_blob); krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx, - struct ldb_context *samdb, - struct loadparm_context *lp_ctx, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry *client, const struct auth_user_info_dc *client_info, const struct auth_user_info_dc *device_info, @@ -174,8 +172,7 @@ krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx, krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, - struct loadparm_context *lp_ctx, + struct samba_kdc_db_context *kdc_db_ctx, const struct samba_kdc_entry_pac device, const struct authn_kerberos_client_policy *client_policy, struct authn_audit_info **client_audit_info_out, @@ -183,7 +180,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, krb5_error_code samba_kdc_get_claims_data(TALLOC_CTX *mem_ctx, krb5_context context, - struct ldb_context *samdb, + struct samba_kdc_db_context *kdc_db_ctx, struct samba_kdc_entry_pac entry, struct claims_data **claims_data_out); diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 330d21975b7..f4ac6e63061 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -126,7 +126,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, } ret = samba_kdc_get_user_info_from_db(mem_ctx, - server_entry->kdc_db_ctx->samdb, + server_entry->kdc_db_ctx, skdc_entry, skdc_entry->msg, &user_info_dc_const); @@ -220,7 +220,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, ret = samba_kdc_get_user_info_dc(mem_ctx, context, - server_entry->kdc_db_ctx->samdb, + server_entry->kdc_db_ctx, device_pac_entry, &device_info, NULL /* resource_groups_out */); @@ -231,7 +231,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, ret = samba_kdc_get_claims_data(mem_ctx, context, - server_entry->kdc_db_ctx->samdb, + server_entry->kdc_db_ctx, device_pac_entry, &auth_claims.device_claims); if (ret) { @@ -241,8 +241,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, } ret = samba_kdc_allowed_to_authenticate_to(mem_ctx, - server_entry->kdc_db_ctx->samdb, - server_entry->kdc_db_ctx->lp_ctx, + server_entry->kdc_db_ctx, skdc_entry, user_info_dc_shallow_copy, device_info, @@ -451,7 +450,7 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r, ret = samba_kdc_verify_pac(mem_ctx, context, - krbtgt_skdc_entry->kdc_db_ctx->samdb, + krbtgt_skdc_entry->kdc_db_ctx, flags, client_pac_entry, krbtgt_skdc_entry); @@ -536,8 +535,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, ret = samba_kdc_update_pac(mem_ctx, context, - krbtgt_skdc_entry->kdc_db_ctx->samdb, - krbtgt_skdc_entry->kdc_db_ctx->lp_ctx, + krbtgt_skdc_entry->kdc_db_ctx, flags, client_pac_entry, server->principal, @@ -784,8 +782,7 @@ static krb5_error_code samba_wdc_check_client_access(void *priv, ret = samba_kdc_check_device(tmp_ctx, context, - kdc_entry->kdc_db_ctx->samdb, - kdc_entry->kdc_db_ctx->lp_ctx, + kdc_entry->kdc_db_ctx, device, kdc_entry->client_policy, &client_audit_info,