1 files changed, 66 insertions, 0 deletions

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 43e836f8360..a8aae50b5b0 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -136,6 +136,47 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
 	return code;
 }
 
+static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db,
+						     krb5_const_principal _principal,
+						     unsigned flags,
+						     krb5_kvno _kvno,
+						     hdb_entry_ex *entry_ex)
+{
+	struct samba_kdc_db_context *kdc_db_ctx = NULL;
+	krb5_error_code ret;
+	krb5_principal kpasswd_principal = NULL;
+
+	kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
+					   struct samba_kdc_db_context);
+
+	ret = smb_krb5_make_principal(context, &kpasswd_principal,
+				      lpcfg_realm(kdc_db_ctx->lp_ctx),
+				      "kadmin", "changepw",
+				      NULL);
+	if (ret) {
+		return ret;
+	}
+	smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST);
+
+	/*
+	 * For the kpasswd service, always ensure we get the latest kvno. This
+	 * also means we (correctly) refuse RODC-issued tickets.
+	 */
+	flags &= ~HDB_F_KVNO_SPECIFIED;
+
+	/* Don't bother looking up a client or krbtgt. */
+	flags &= ~(SDB_F_GET_CLIENT|SDB_F_GET_KRBTGT);
+
+	ret = hdb_samba4_fetch_kvno(context, db,
+				    kpasswd_principal,
+				    flags,
+				    0,
+				    entry_ex);
+
+	krb5_free_principal(context, kpasswd_principal);
+	return ret;
+}
+
 static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
 					hdb_entry_ex *entry)
 {
@@ -194,6 +235,14 @@ static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigne
 	return ret;
 }
 
+static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db,
+						unsigned flags,
+						hdb_entry_ex *entry)
+{
+	DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n");
+	smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab");
+}
+
 static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
 {
 	talloc_free(db);
@@ -522,3 +571,20 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
 
 	return NT_STATUS_OK;
 }
+
+NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
+				       krb5_context context, struct HDB **db)
+{
+	NTSTATUS nt_status;
+
+	nt_status = hdb_samba4_create_kdc(base_ctx, context, db);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+
+	(*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno;
+	(*db)->hdb_firstkey = hdb_samba4_nextkey_panic;
+	(*db)->hdb_nextkey = hdb_samba4_nextkey_panic;
+
+	return NT_STATUS_OK;
+}