s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()

It means that using the old or older password no longer
changes badPwdCount for Kerberos authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/test_login_basics_krb5 b/selftest/knownfail.d/test_login_basics_krb5
deleted file mode 100644 (file)
index c77f20f..0000000
--- a/selftest/knownfail.d/test_login_basics_krb5
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 9c5b76cac5a2195384adacb602802eabcd8dd340..8196f4f4d6bd4472767c3c6e69af15a3988df25f 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -2221,3 +2221,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_bad_pwd_allowed_from_user_deny.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_denied_no_fast.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_min.ad_dc
+#
+# MIT does not support password history in order to avoid badPwdCount changes
+# with the last password, see https://bugzilla.samba.org/show_bug.cgi?id=14054
+#
+^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5

diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index 994a52d7d440625945cf3d7fba7542c5f08c121c..93d2f3f598073e878ccafd10ce5e21d090e917ec 100644 (file)
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -147,6 +147,31 @@ static int sdb_keys_to_Keys(const struct sdb_keys *s, Keys *h)
        return 0;
 }
 
+static int sdb_keys_to_HistKeys(krb5_context context,
+                               const struct sdb_keys *s,
+                               krb5_kvno kvno,
+                               hdb_entry *h)
+{
+       unsigned int i;
+
+       for (i = 0; i < s->len; i++) {
+               Key k = { 0, };
+               int ret;
+
+               ret = sdb_key_to_Key(&s->val[i], &k);
+               if (ret != 0) {
+                       return ENOMEM;
+               }
+               ret = hdb_add_history_key(context, h, kvno, &k);
+               free_Key(&k);
+               if (ret != 0) {
+                       return ENOMEM;
+               }
+       }
+
+       return 0;
+}
+
 static int sdb_event_to_Event(krb5_context context,
                              const struct sdb_event *s, Event *h)
 {
@@ -192,6 +217,26 @@ int sdb_entry_to_hdb_entry(krb5_context context,
                goto error;
        }
 
+       if (h->kvno > 1) {
+               rc = sdb_keys_to_HistKeys(context,
+                                         &s->old_keys,
+                                         h->kvno - 1,
+                                         h);
+               if (rc != 0) {
+                       goto error;
+               }
+       }
+
+       if (h->kvno > 2) {
+               rc = sdb_keys_to_HistKeys(context,
+                                         &s->older_keys,
+                                         h->kvno - 2,
+                                         h);
+               if (rc != 0) {
+                       goto error;
+               }
+       }
+
        rc = sdb_event_to_Event(context,
                                 &s->created_by,
                                 &h->created_by);