From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 29 May 2024 23:40:16 +0000 (+1200)
Subject: kdc: Remove confusing duplicate open of sam.ldb to find RODC status
X-Git-Tag: tdb-1.4.11~407
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9ba5ebf4af7c5170dc2abf2307e3c47d7d250f5f;p=thirdparty%2Fsamba.git

kdc: Remove confusing duplicate open of sam.ldb to find RODC status

Instead, make this query after we open the DB in common with the MIT code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 5ed6bf2d1fe..32c6d2f8c22 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -1194,9 +1194,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
  * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
 
 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
-			       krb5_context context, struct HDB **db)
+			       krb5_context context, struct HDB **db,
+			       struct samba_kdc_db_context **kdc_db_ctx)
 {
-	struct samba_kdc_db_context *kdc_db_ctx = NULL;
 	NTSTATUS nt_status;
 
 	if (hdb_interface_version != HDB_INTERFACE_VERSION) {
@@ -1214,12 +1214,12 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
 	(*db)->hdb_db = NULL;
 	(*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
 
-	nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
+	nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, kdc_db_ctx);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(*db);
 		return nt_status;
 	}
-	(*db)->hdb_db = kdc_db_ctx;
+	(*db)->hdb_db = *kdc_db_ctx;
 
 	(*db)->hdb_dbc = NULL;
 	(*db)->hdb_open = hdb_samba4_open;
@@ -1254,7 +1254,10 @@ NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
 {
 	NTSTATUS nt_status;
 
-	nt_status = hdb_samba4_create_kdc(base_ctx, context, db);
+	/* This is only used in other callers */
+	struct samba_kdc_db_context *kdc_db_ctx = NULL;
+
+	nt_status = hdb_samba4_create_kdc(base_ctx, context, db, &kdc_db_ctx);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
diff --git a/source4/kdc/kdc-glue.h b/source4/kdc/kdc-glue.h
index 9497d0622e6..ebcde22f96f 100644
--- a/source4/kdc/kdc-glue.h
+++ b/source4/kdc/kdc-glue.h
@@ -34,7 +34,8 @@
 
 /* from hdb-samba4.c */
 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
-			       krb5_context context, struct HDB **db);
+			       krb5_context context, struct HDB **db,
+			       struct samba_kdc_db_context **kdc_db_ctx);
 
 NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
 				       krb5_context context, struct HDB **db);
diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index cbef2e66b7b..241c167d3e9 100644
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -338,28 +338,6 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
 	}
 	kdc = talloc_get_type_abort(task->private_data, struct kdc_server);
 
-	/* get a samdb connection */
-	kdc->samdb = samdb_connect(kdc,
-				   kdc->task->event_ctx,
-				   kdc->task->lp_ctx,
-				   system_session(kdc->task->lp_ctx),
-				   NULL,
-				   0);
-	if (!kdc->samdb) {
-		DBG_WARNING("kdc_task_init: unable to connect to samdb\n");
-		task_server_terminate(task, "kdc: krb5_init_context samdb connect failed", true);
-		return;
-	}
-
-	ldb_ret = samdb_rodc(kdc->samdb, &kdc->am_rodc);
-	if (ldb_ret != LDB_SUCCESS) {
-		DBG_WARNING("kdc_task_init: "
-			    "Cannot determine if we are an RODC: %s\n",
-			    ldb_errstring(kdc->samdb));
-		task_server_terminate(task, "kdc: krb5_init_context samdb RODC connect failed", true);
-		return;
-	}
-
 	kdc->proxy_timeout = lpcfg_parm_int(kdc->task->lp_ctx, NULL, "kdc", "proxy timeout", 5);
 
 	initialize_krb5_error_table();
@@ -473,12 +451,22 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
 
 	status = hdb_samba4_create_kdc(kdc->base_ctx,
 				       kdc->smb_krb5_context->krb5_context,
-				       &kdc_config->db[0]);
+				       &kdc_config->db[0],
+				       &kdc->kdc_db_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
 		return;
 	}
 
+	ldb_ret = samdb_rodc(kdc->kdc_db_ctx->samdb, &kdc->am_rodc);
+	if (ldb_ret != LDB_SUCCESS) {
+		DBG_WARNING("kdc_task_init: "
+			    "Cannot determine if we are an RODC: %s\n",
+			    ldb_errstring(kdc->kdc_db_ctx->samdb));
+		task_server_terminate(task, "kdc: krb5_init_context samdb RODC query failed", true);
+		return;
+	}
+
 	ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
 				   PLUGIN_TYPE_DATA, "hdb_samba4_interface",
 				   &hdb_samba4_interface);
diff --git a/source4/kdc/kdc-proxy.c b/source4/kdc/kdc-proxy.c
index 83d552a85a0..4e990a9ce88 100644
--- a/source4/kdc/kdc-proxy.c
+++ b/source4/kdc/kdc-proxy.c
@@ -28,6 +28,7 @@
 #include "lib/util/tevent_ntstatus.h"
 #include "lib/stream/packet.h"
 #include "kdc/kdc-server.h"
+#include "kdc/samba_kdc.h"
 #include "kdc/kdc-proxy.h"
 #include "dsdb/samdb/samdb.h"
 #include "libcli/composite/composite.h"
@@ -45,7 +46,12 @@ static WERROR kdc_proxy_get_writeable_dcs(struct kdc_server *kdc, TALLOC_CTX *me
 	uint32_t count, i;
 	struct repsFromToBlob *reps;
 
-	werr = dsdb_loadreps(kdc->samdb, mem_ctx, ldb_get_default_basedn(kdc->samdb), "repsFrom", &reps, &count);
+	werr = dsdb_loadreps(kdc->kdc_db_ctx->samdb,
+			     mem_ctx,
+			     ldb_get_default_basedn(kdc->kdc_db_ctx->samdb),
+			     "repsFrom",
+			     &reps,
+			     &count);
 	W_ERROR_NOT_OK_RETURN(werr);
 
 	if (count == 0) {
diff --git a/source4/kdc/kdc-server.h b/source4/kdc/kdc-server.h
index 89b30f122f5..274c4bf4009 100644
--- a/source4/kdc/kdc-server.h
+++ b/source4/kdc/kdc-server.h
@@ -37,11 +37,11 @@ struct kdc_server {
 	struct task_server *task;
 	struct smb_krb5_context *smb_krb5_context;
 	struct samba_kdc_base_context *base_ctx;
-	struct ldb_context *samdb;
 	bool am_rodc;
 	uint32_t proxy_timeout;
 	const char *kpasswd_keytab_name;
 	void *private_data;
+	struct samba_kdc_db_context *kdc_db_ctx;
 };
 
 typedef enum kdc_code_e {
diff --git a/source4/kdc/kdc-service-mit.c b/source4/kdc/kdc-service-mit.c
index 5b1240cd84b..f21b4c94f60 100644
--- a/source4/kdc/kdc-service-mit.c
+++ b/source4/kdc/kdc-service-mit.c
@@ -318,19 +318,6 @@ NTSTATUS mitkdc_task_init(struct task_server *task)
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	kdc->samdb = samdb_connect(kdc,
-				   kdc->task->event_ctx,
-				   kdc->task->lp_ctx,
-				   system_session(kdc->task->lp_ctx),
-				   NULL,
-				   0);
-	if (kdc->samdb == NULL) {
-		task_server_terminate(task,
-				      "KDC: Unable to connect to samdb",
-				      true);
-		return NT_STATUS_CONNECTION_INVALID;
-	}
-
 	status = startup_kpasswd_server(kdc,
 				    kdc,
 				    task->lp_ctx,