From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 19 Dec 2023 02:58:49 +0000 (+1300)
Subject: libnet: Prepare to allow "samba-tool domain exportkeytab to support -H
X-Git-Tag: tdb-1.4.11~1472
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6cffcb3fb0ad286501f4fa3a231c00495c2ecbe;p=thirdparty%2Fsamba.git

libnet: Prepare to allow "samba-tool domain exportkeytab to support -H

We need to allow a samdb to be passed from the python to support
using a specific DB or remote server for gMSA passwords.

The gMSA passwords will not use this code, but we need to be
consistant.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 52667d8c49b..14eb9f7428b 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3643,7 +3643,6 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
 {
 	int ldb_ret;
 	struct ldb_message *msg = NULL;
-	struct auth_session_info *session_info = NULL;
 	struct samba_kdc_db_context *kdc_db_ctx = NULL;
 	/* The idea here is very simple.  Using Kerberos to
 	 * authenticate the KDC to the LDAP server is highly likely to
@@ -3668,23 +3667,34 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
 				 &kdc_db_ctx->policy.usr_tkt_lifetime,
 				 &kdc_db_ctx->policy.renewal_lifetime);
 
-	session_info = system_session(kdc_db_ctx->lp_ctx);
-	if (session_info == NULL) {
-		talloc_free(kdc_db_ctx);
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	/* Setup the link to LDB */
-	kdc_db_ctx->samdb = samdb_connect(kdc_db_ctx,
-					  base_ctx->ev_ctx,
-					  base_ctx->lp_ctx,
-					  session_info,
-					  NULL,
-					  0);
-	if (kdc_db_ctx->samdb == NULL) {
-		DBG_WARNING("Cannot open samdb for KDC backend!\n");
-		talloc_free(kdc_db_ctx);
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	/* This is to allow "samba-tool domain exportkeytab to take a -H */
+	if (base_ctx->samdb != NULL) {
+		/*
+		 * Caller is responsible for lifetimes.  In reality
+		 * the whole thing is destroyed before leaving the
+		 * function the samdb was passed into
+		 */
+		kdc_db_ctx->samdb = base_ctx->samdb;
+	} else {
+		struct auth_session_info *session_info = NULL;
+		session_info = system_session(kdc_db_ctx->lp_ctx);
+		if (session_info == NULL) {
+			talloc_free(kdc_db_ctx);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+
+		/* Setup the link to LDB */
+		kdc_db_ctx->samdb = samdb_connect(kdc_db_ctx,
+						  base_ctx->ev_ctx,
+						  base_ctx->lp_ctx,
+						  session_info,
+						  NULL,
+						  0);
+		if (kdc_db_ctx->samdb == NULL) {
+			DBG_WARNING("Cannot open samdb for KDC backend!\n");
+			talloc_free(kdc_db_ctx);
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
 	}
 
 	/* Find out our own krbtgt kvno */
diff --git a/source4/kdc/mit_kdc_irpc.c b/source4/kdc/mit_kdc_irpc.c
index 92fb78d56e5..d2c39412081 100644
--- a/source4/kdc/mit_kdc_irpc.c
+++ b/source4/kdc/mit_kdc_irpc.c
@@ -160,7 +160,7 @@ static NTSTATUS netr_samlogon_generic_logon(struct irpc_message *msg,
 
 NTSTATUS samba_setup_mit_kdc_irpc(struct task_server *task)
 {
-	struct samba_kdc_base_context base_ctx;
+	struct samba_kdc_base_context base_ctx = {};
 	struct mit_kdc_irpc_context *mki_ctx;
 	NTSTATUS status;
 	int code;
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index ae8895d772b..2f280871cc0 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -78,7 +78,7 @@ krb5_error_code mit_samba_context_init(struct mit_samba_context **_ctx)
 	struct mit_samba_context *ctx;
 	const char *s4_conf_file;
 	krb5_error_code ret;
-	struct samba_kdc_base_context base_ctx;
+	struct samba_kdc_base_context base_ctx = {};
 
 	ctx = talloc_zero(NULL, struct mit_samba_context);
 	if (!ctx) {
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index d1100f657a4..095a8cc0cf7 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -38,6 +38,7 @@ struct samba_kdc_base_context {
 	struct tevent_context *ev_ctx;
 	struct loadparm_context *lp_ctx;
 	struct imessaging_context *msg_ctx;
+	struct ldb_context *samdb;
 };
 
 struct samba_kdc_seq;
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index 8f548e14eeb..21aae7b400e 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -170,6 +170,7 @@ NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, s
 
 	base_ctx->ev_ctx = ctx->event_ctx;
 	base_ctx->lp_ctx = ctx->lp_ctx;
+	base_ctx->samdb = r->in.samdb;
 
 	status = samba_kdc_setup_db_ctx(mem_ctx, base_ctx, &db_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/libnet/libnet_export_keytab.h b/source4/libnet/libnet_export_keytab.h
index 2b4bdcde492..726475f79aa 100644
--- a/source4/libnet/libnet_export_keytab.h
+++ b/source4/libnet/libnet_export_keytab.h
@@ -23,6 +23,7 @@ struct libnet_export_keytab {
 	struct {
 		const char *keytab_name;
 		const char *principal;
+		struct ldb_context *samdb;
 	} in;
 	struct {
 		const char *error_string;