static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
hdb_entry_ex *entry)
{
struct samba_kdc_db_context *kdc_db_ctx;
struct sdb_entry_ex sdb_entry_ex = {};
krb5_error_code ret;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
ret = samba_kdc_nextkey(context, kdc_db_ctx, &sdb_entry_ex);
switch (ret) {
case 0:
break;
case SDB_ERR_WRONG_REALM:
return HDB_ERR_WRONG_REALM;
case SDB_ERR_NOENTRY:
return HDB_ERR_NOENTRY;
default:
return HDB_ERR_NOT_FOUND_HERE;
}
ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
sdb_free_entry(&sdb_entry_ex);
return ret;
}
static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
krb5_const_principal principal,
unsigned flags,
krb5_kvno kvno,
hdb_entry_ex *entry_ex)
{
struct samba_kdc_db_context *kdc_db_ctx;
struct sdb_entry_ex sdb_entry_ex = {};
krb5_error_code code, ret;
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
ret = samba_kdc_fetch(context,
kdc_db_ctx,
principal,
flags,
kvno,
&sdb_entry_ex);
switch (ret) {
case 0:
code = 0;
break;
case SDB_ERR_WRONG_REALM:
/*
* If SDB_ERR_WRONG_REALM is returned we need to process the
* sdb_entry to fill the principal in the HDB entry.
*/
code = HDB_ERR_WRONG_REALM;
break;
case SDB_ERR_NOENTRY:
return HDB_ERR_NOENTRY;
default:
return HDB_ERR_NOT_FOUND_HERE;
}
ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex);
sdb_free_entry(&sdb_entry_ex);
if (code != 0 && ret != 0) {
code = ret;
}
return code;
}
int mit_samba_get_nextkey(struct mit_samba_context *ctx,
krb5_db_entry **_kentry)
{
struct sdb_entry_ex sentry = {
.free_entry = NULL,
};
krb5_db_entry *kentry;
int ret;
kentry = malloc(sizeof(krb5_db_entry));
if (kentry == NULL) {
return ENOMEM;
}
ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
switch (ret) {
case 0:
break;
case SDB_ERR_NOENTRY:
free(kentry);
return KRB5_KDB_NOENTRY;
case SDB_ERR_NOT_FOUND_HERE:
/* FIXME: RODC support */
default:
free(kentry);
return ret;
}
ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
sdb_free_entry(&sentry);
if (ret) {
free(kentry);
} else {
*_kentry = kentry;
}
return ret;
}
int mit_samba_get_principal(struct mit_samba_context *ctx,
krb5_const_principal principal,
unsigned int kflags,
krb5_db_entry **_kentry)
{
struct sdb_entry_ex sentry = {
.free_entry = NULL,
};
krb5_db_entry *kentry;
int ret;
int sflags = 0;
kentry = malloc(sizeof(krb5_db_entry));
if (kentry == NULL) {
return ENOMEM;
}
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
* KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
* SDB_F_FOR_AS_REQ
*
* We use ANY to also allow AS_REQ for service principal names
* This is supported by Windows.
*/
sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
} else if (ks_is_tgs_principal(ctx, principal)) {
sflags |= SDB_F_GET_KRBTGT;
} else {
sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
}
/* always set this or the created_by data will not be populated by samba's
* backend and we will fail to parse the entry later */
sflags |= SDB_F_ADMIN_DATA;
ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
principal, sflags, 0, &sentry);
switch (ret) {
case 0:
break;
case SDB_ERR_NOENTRY:
ret = KRB5_KDB_NOENTRY;
goto done;
case SDB_ERR_WRONG_REALM:
/*
* If we have a wrong realm e.g. if we try get a cross forest
* ticket, we return a ticket with the correct realm. The KDC
* will detect this an return the appropriate return code.
*/
ret = 0;
break;
case SDB_ERR_NOT_FOUND_HERE:
/* FIXME: RODC support */
default:
goto done;
}
ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
sdb_free_entry(&sentry);
done:
if (ret) {
free(kentry);
} else {
*_kentry = kentry;
}
return ret;
}
