From da258b47e6985a3ae45307305c3d4876444f525c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 26 Jan 2022 08:39:50 +0100 Subject: [PATCH 1/3] s4:kdc: Add a HDB to SDB mask For most flags the mapping is 1 to 1, but it's not always the case anymore. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 63e00f81b5dd05b50e6ac286e87b8637a4ecd7e0) --- source4/kdc/sdb.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h index 19d9b920278..cf7060bd169 100644 --- a/source4/kdc/sdb.h +++ b/source4/kdc/sdb.h @@ -116,6 +116,18 @@ struct sdb_entry_ex { #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ + +#define SDB_F_HDB_MASK (SDB_F_DECRYPT | \ + SDB_F_GET_CLIENT| \ + SDB_F_GET_SERVER | \ + SDB_F_GET_KRBTGT | \ + SDB_F_CANON | \ + SDB_F_ADMIN_DATA | \ + SDB_F_KVNO_SPECIFIED | \ + SDB_F_FOR_AS_REQ | \ + SDB_F_FOR_TGS_REQ) + +/* This is not supported by HDB */ #define SDB_F_FORCE_CANON 16384 /* force canonicalition */ void sdb_free_entry(struct sdb_entry_ex *e); -- 2.34.1 From 4554429d593b0496cbc995a1551cc3208f5f7945 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 26 Jan 2022 08:43:41 +0100 Subject: [PATCH 2/3] s4:kdc: Remove trailing spaces in hdb-samba4.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 2a0d6c11330c40f5692dc07ed6482c7107035bd4) --- source4/kdc/hdb-samba4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index c0ec4bd3cd8..7477c0f9c11 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -486,12 +486,12 @@ static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx, req.in.validation_level = 3; - /* + /* * The memory in identity_info and user_info only needs to be * valid until the end of this function call, as it will be - * pushed to NDR during this call + * pushed to NDR during this call */ - + dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx, irpc_handle, &req); } -- 2.34.1 From 91805e29af0bb1fa33bef398d623d3e70893fd99 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 26 Jan 2022 08:44:13 +0100 Subject: [PATCH 3/3] s4:kdc: Translate HDB flags to SDB flags We used to have a 1 to 1 mapping, but now we have a conflict with these: #define SDB_F_FORCE_CANON 16384 #define HDB_F_PRECHECK 16384 We currently don't really care about HDB_F_PRECHECK, so we can just filter it out. In the long run we may change the SDB flags space to uint64... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 6063e8016fccbefd1c3fe378e3807c77bc04e4ec) --- source4/kdc/hdb-samba4.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 7477c0f9c11..71260d3ed0a 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -223,6 +223,8 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db, struct samba_kdc_db_context *kdc_db_ctx; struct sdb_entry_ex sdb_entry_ex = {}; krb5_error_code code, ret; + uint32_t sflags; + kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); @@ -232,10 +234,12 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db, entry_ex); } + sflags = (flags & SDB_F_HDB_MASK); + ret = samba_kdc_fetch(context, kdc_db_ctx, principal, - flags, + sflags, kvno, &sdb_entry_ex); switch (ret) { -- 2.34.1