From 4780df334c4b049b048845c0aaf9562d80f7a915 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 25 Oct 2017 09:11:10 +0200
Subject: [PATCH] Add support for MIT Kerberos 1.16

---
 samba-4.7.0-support-krb5-1.16.patch | 135 ++++++++++++++++++++++++++++
 samba.spec                          |   1 +
 2 files changed, 136 insertions(+)
 create mode 100644 samba-4.7.0-support-krb5-1.16.patch

diff --git a/samba-4.7.0-support-krb5-1.16.patch b/samba-4.7.0-support-krb5-1.16.patch
new file mode 100644
index 0000000..bc8cb48
--- /dev/null
+++ b/samba-4.7.0-support-krb5-1.16.patch
@@ -0,0 +1,135 @@
+From f503bac8ac07b58a8377059922e3e56e28fc3e01 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Tue, 24 Oct 2017 12:01:39 +0300
+Subject: [PATCH] mit-kdb: support MIT Kerberos 1.16 KDB API changes
+
+MIT Kerberos 1.16 adds ability to audit local and remote addresses
+during AS_REQ processing. As result, audit_as_req callback signature
+was changed to include the addresses and KDB API version was increased.
+
+Change mit-kdb code to properly expose audit_as_req signature KDC
+expects in 1.16 version. Also update #ifdefs to account for the new
+KDB API version.
+
+This commit does not add actual audit of the local and remote IP
+addresses, it only makes it possible to compile against MIT Kerberos
+1.16.
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source4/kdc/mit-kdb/kdb_samba.h            | 13 ++++++++-
+ source4/kdc/mit-kdb/kdb_samba_policies.c   | 42 +++++++++++++++++++++---------
+ source4/kdc/mit-kdb/kdb_samba_principals.c |  2 +-
+ 3 files changed, 42 insertions(+), 15 deletions(-)
+
+diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
+index abca2c166ae..b9c571f26cb 100644
+--- a/source4/kdc/mit-kdb/kdb_samba.h
++++ b/source4/kdc/mit-kdb/kdb_samba.h
+@@ -78,7 +78,7 @@ krb5_error_code kdb_samba_db_put_principal(krb5_context context,
+ krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
+ 					      krb5_const_principal princ);
+ 
+-#if KRB5_KDB_API_VERSION == 8
++#if KRB5_KDB_API_VERSION >= 8
+ krb5_error_code kdb_samba_db_iterate(krb5_context context,
+ 				     char *match_entry,
+ 				     int (*func)(krb5_pointer, krb5_db_entry *),
+@@ -148,12 +148,23 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
+ 						       const krb5_db_entry *server,
+ 						       krb5_const_principal proxy);
+ 
++#if KRB5_KDB_API_VERSION >= 9
+ void kdb_samba_db_audit_as_req(krb5_context kcontext,
+ 			       krb5_kdc_req *request,
++			       const krb5_address *local_addr,
++			       const krb5_address *remote_addr,
+ 			       krb5_db_entry *client,
+ 			       krb5_db_entry *server,
+ 			       krb5_timestamp authtime,
+ 			       krb5_error_code error_code);
++#else
++void kdb_samba_db_audit_as_req(krb5_context kcontext,
++			       krb5_kdc_req *request,
++			       krb5_db_entry *client,
++			       krb5_db_entry *server,
++			       krb5_timestamp authtime,
++			       krb5_error_code error_code);
++#endif
+ 
+ /* from kdb_samba_change_pwd.c */
+ 
+diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
+index 81140abfd50..de5813bde2f 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
+@@ -432,20 +432,10 @@ done:
+ 	return code;
+ }
+ 
+-void kdb_samba_db_audit_as_req(krb5_context context,
+-			       krb5_kdc_req *request,
+-			       krb5_db_entry *client,
+-			       krb5_db_entry *server,
+-			       krb5_timestamp authtime,
+-			       krb5_error_code error_code)
+-{
+-	struct mit_samba_context *mit_ctx;
+-
+-	mit_ctx = ks_get_context(context);
+-	if (mit_ctx == NULL) {
+-		return;
+-	}
+ 
++static void samba_bad_password_count(krb5_db_entry *client,
++				     krb5_error_code error_code)
++{
+ 	switch (error_code) {
+ 	case 0:
+ 		mit_samba_zero_bad_password_count(client);
+@@ -456,3 +446,29 @@ void kdb_samba_db_audit_as_req(krb5_context context,
+ 		break;
+ 	}
+ }
++
++#if KRB5_KDB_API_VERSION >= 9
++void kdb_samba_db_audit_as_req(krb5_context context,
++			       krb5_kdc_req *request,
++			       const krb5_address *local_addr,
++			       const krb5_address *remote_addr,
++			       krb5_db_entry *client,
++			       krb5_db_entry *server,
++			       krb5_timestamp authtime,
++			       krb5_error_code error_code)
++{
++	samba_bad_password_count(client, error_code);
++
++	/* TODO: perform proper audit logging for addresses */
++}
++#else
++void kdb_samba_db_audit_as_req(krb5_context context,
++			       krb5_kdc_req *request,
++			       krb5_db_entry *client,
++			       krb5_db_entry *server,
++			       krb5_timestamp authtime,
++			       krb5_error_code error_code)
++{
++	samba_bad_password_count(client, error_code);
++}
++#endif
+diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
+index 1dbb69b561d..8b67436dc47 100644
+--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
++++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
+@@ -308,7 +308,7 @@ krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
+ 	return KRB5_KDB_DB_INUSE;
+ }
+ 
+-#if KRB5_KDB_API_VERSION == 8
++#if KRB5_KDB_API_VERSION >= 8
+ krb5_error_code kdb_samba_db_iterate(krb5_context context,
+ 				     char *match_entry,
+ 				     int (*func)(krb5_pointer, krb5_db_entry *),
+-- 
+2.13.6
+
diff --git a/samba.spec b/samba.spec
index bfcc038..b7bf31e 100644
--- a/samba.spec
+++ b/samba.spec
@@ -115,6 +115,7 @@ Source200: README.dc
 Source201: README.downgrade
 
 Patch0: samba-4.7.0-bind_dlz.patch
+Patch1: samba-4.7.0-support-krb5-1.16.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd