From c4325a2a21e7953a2d77225f6d1bacf7f9b5c083 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Wed, 8 Feb 2017 16:58:36 -0800
Subject: [PATCH] libads: generate associated kpasswd_server entries

When changing password using kerberos, Samba is delegating the work to
kerberos library. MIT Kerberos at least is using _kpasswd records to
locate the kpasswd server when doing password changes. Without the
change kerberos will use any server in the domain. With this change we
insure that the notion of site is taken into account and that kerberos
is contacting closer DCs.

Change-Id: I03c51716180064a90942c1a9691eee01989df7ad
---
 source3/libads/kerberos.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index dcb268e..36fb16b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -763,11 +763,18 @@ static char *get_kdc_ip_string(char *mem_ctx,
 	char *result = NULL;
 	struct netlogon_samlogon_response **responses = NULL;
 	NTSTATUS status;
-	char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
+	const char KRB_TEMPLATE_ENTRY[] = "%s\t\t%s = %s\n";
+	const char KDC_ENTRY[] = "kdc";
+	const char KPASSWD_ENTRY[] = "kpasswd_server";
+	char *kdc_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY, "", KDC_ENTRY,
+					print_canonical_sockaddr_with_port(mem_ctx, pss));
+	char *kpasswd_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY, "", KPASSWD_ENTRY,
 					print_canonical_sockaddr_with_port(mem_ctx, pss));
 
-	if (kdc_str == NULL) {
+	if (kdc_str == NULL || kpasswd_str == NULL) {
 		TALLOC_FREE(frame);
+		TALLOC_FREE(kdc_str);
+		TALLOC_FREE(kpasswd_str);
 		return NULL;
 	}
 
@@ -860,26 +867,35 @@ static char *get_kdc_ip_string(char *mem_ctx,
 
 	for (i=0; i<num_dcs; i++) {
 		char *new_kdc_str;
+		char *new_kpasswd_str;
 
 		if (responses[i] == NULL) {
 			continue;
 		}
 
 		/* Append to the string - inefficient but not done often. */
-		new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
-					      kdc_str,
+		new_kdc_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY,
+					      kdc_str, KDC_ENTRY,
+					      print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
+		new_kpasswd_str = talloc_asprintf(mem_ctx, KRB_TEMPLATE_ENTRY,
+					      kpasswd_str, KPASSWD_ENTRY,
 					      print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
-		if (new_kdc_str == NULL) {
+		if (new_kdc_str == NULL || new_kpasswd_str == NULL) {
 			goto out;
 		}
 		TALLOC_FREE(kdc_str);
+		TALLOC_FREE(kpasswd_str);
 		kdc_str = new_kdc_str;
+		kpasswd_str = new_kpasswd_str;
 	}
 
 out:
-	DEBUG(10, ("get_kdc_ip_string: Returning %s\n", kdc_str));
-
-	result = kdc_str;
+	if (kdc_str != NULL && kpasswd_str != NULL) {
+		result = talloc_asprintf(mem_ctx, "%s%s", kdc_str, kpasswd_str);
+	}
+	TALLOC_FREE(kdc_str);
+	TALLOC_FREE(kpasswd_str);
+	DEBUG(10, ("get_kdc_ip_string: Returning %s\n", result));
 	SAFE_FREE(ip_srv_site);
 	SAFE_FREE(ip_srv_nonsite);
 	TALLOC_FREE(frame);
-- 
2.7.4