Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

9 files changed, 1522 insertions, 0 deletions

diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
new file mode 100644
index 0000000..e8fcfc8
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba.c
@@ -0,0 +1,178 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2010      Simo Sorce <idra@samba.org>.
+   Copyright (c) 2014      Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/samba_kdc.h"
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+static krb5_error_code kdb_samba_init_library(void)
+{
+	return 0;
+}
+
+static krb5_error_code kdb_samba_fini_library(void)
+{
+	return 0;
+}
+
+static krb5_error_code kdb_samba_init_module(krb5_context context,
+					     char *conf_section,
+					     char **db_args,
+					     int mode)
+{
+	/* TODO mit_samba_context_init */
+	struct mit_samba_context *mit_ctx;
+	krb5_error_code code;
+	int rc;
+
+	rc = mit_samba_context_init(&mit_ctx);
+	if (rc != 0) {
+		return ENOMEM;
+	}
+
+
+	code = krb5_db_set_context(context, mit_ctx);
+
+	return code;
+}
+static krb5_error_code kdb_samba_fini_module(krb5_context context)
+{
+	struct mit_samba_context *mit_ctx;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return 0;
+	}
+
+	mit_samba_context_free(mit_ctx);
+
+	return 0;
+}
+
+static krb5_error_code kdb_samba_db_create(krb5_context context,
+					   char *conf_section,
+					   char **db_args)
+{
+	/* NOTE: used only by kadmin */
+	return KRB5_KDB_DBTYPE_NOSUP;
+}
+
+static krb5_error_code kdb_samba_db_destroy(krb5_context context,
+					    char *conf_section,
+					    char **db_args)
+{
+	/* NOTE: used only by kadmin */
+	return KRB5_KDB_DBTYPE_NOSUP;
+}
+
+static krb5_error_code kdb_samba_db_get_age(krb5_context context,
+					    char *db_name,
+					    time_t *age)
+{
+	/* TODO: returns last modification time of the db */
+
+	/* NOTE: used by and affects only lookaside cache,
+	 *       defer implementation until needed as samba doesn't keep this
+	 *       specific value readily available and it would require a full
+	 *       database search to get it. */
+
+	*age = time(NULL);
+
+	return 0;
+}
+
+static krb5_error_code kdb_samba_db_lock(krb5_context context, int kmode)
+{
+
+	/* NOTE: important only for kadmin */
+	/* NOTE: deferred as samba's DB cannot be easily locked and doesn't
+	 * really make sense to do so anyway as the db is shared and support
+	 * transactions */
+	return 0;
+}
+
+static krb5_error_code kdb_samba_db_unlock(krb5_context context)
+{
+
+	/* NOTE: important only for kadmin */
+	/* NOTE: deferred as samba's DB cannot be easily locked and doesn't
+	 * really make sense to do so anyway as the db is shared and support
+	 * transactions */
+	return 0;
+}
+
+static void kdb_samba_db_free_principal_e_data(krb5_context context,
+					       krb5_octet *e_data)
+{
+	struct samba_kdc_entry *skdc_entry;
+
+	skdc_entry = talloc_get_type_abort(e_data,
+					   struct samba_kdc_entry);
+	skdc_entry->kdc_entry = NULL;
+	TALLOC_FREE(skdc_entry);
+}
+
+kdb_vftabl kdb_function_table = {
+	.maj_ver                   = KRB5_KDB_DAL_MAJOR_VERSION,
+	.min_ver                   = 0,
+
+	.init_library              = kdb_samba_init_library,
+	.fini_library              = kdb_samba_fini_library,
+	.init_module               = kdb_samba_init_module,
+	.fini_module               = kdb_samba_fini_module,
+
+	.create                    = kdb_samba_db_create,
+	.destroy                   = kdb_samba_db_destroy,
+	.get_age                   = kdb_samba_db_get_age,
+	.lock                      = kdb_samba_db_lock,
+	.unlock                    = kdb_samba_db_unlock,
+
+	.get_principal             = kdb_samba_db_get_principal,
+	.put_principal             = kdb_samba_db_put_principal,
+	.delete_principal          = kdb_samba_db_delete_principal,
+
+	.iterate                   = kdb_samba_db_iterate,
+
+	.fetch_master_key          = kdb_samba_fetch_master_key,
+	.fetch_master_key_list     = kdb_samba_fetch_master_key_list,
+
+	.change_pwd                = kdb_samba_change_pwd,
+
+	.decrypt_key_data          = kdb_samba_dbekd_decrypt_key_data,
+	.encrypt_key_data          = kdb_samba_dbekd_encrypt_key_data,
+
+	.check_policy_as           = kdb_samba_db_check_policy_as,
+	.audit_as_req              = kdb_samba_db_audit_as_req,
+	.check_allowed_to_delegate = kdb_samba_db_check_allowed_to_delegate,
+
+	.free_principal_e_data     = kdb_samba_db_free_principal_e_data,
+
+	.allowed_to_delegate_from  = kdb_samba_db_allowed_to_delegate_from,
+	.issue_pac                 = kdb_samba_db_issue_pac,
+};
diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
new file mode 100644
index 0000000..acd5a77
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -0,0 +1,182 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2009      Simo Sorce <idra@samba.org>.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _KDB_SAMBA_H_
+#define _KDB_SAMBA_H_
+
+#include <stdbool.h>
+
+#include <krb5/krb5.h>
+#include <krb5/plugin.h>
+
+#define PAC_LOGON_INFO 1
+
+#ifndef discard_const_p
+#if defined(__intptr_t_defined) || defined(HAVE_INTPTR_T)
+# define discard_const_p(type, ptr) ((type *)((intptr_t)(ptr)))
+#else
+# define discard_const_p(type, ptr) ((type *)(ptr))
+#endif
+#endif
+
+/* from kdb_samba_common.c */
+
+struct mit_samba_context *ks_get_context(krb5_context kcontext);
+
+krb5_error_code ks_get_principal(krb5_context context,
+				 krb5_const_principal principal,
+				 unsigned int kflags,
+				 krb5_db_entry **kentry);
+
+void ks_free_principal(krb5_context context, krb5_db_entry *entry);
+
+bool ks_data_eq_string(krb5_data d, const char *s);
+
+krb5_boolean ks_is_kadmin(krb5_context context,
+			  krb5_const_principal princ);
+
+krb5_boolean ks_is_kadmin_history(krb5_context context,
+				  krb5_const_principal princ);
+
+krb5_boolean ks_is_kadmin_changepw(krb5_context context,
+				   krb5_const_principal princ);
+
+krb5_boolean ks_is_kadmin_admin(krb5_context context,
+				krb5_const_principal princ);
+
+/* from kdb_samba_principals.c */
+
+krb5_error_code kdb_samba_db_get_principal(krb5_context context,
+					   krb5_const_principal princ,
+					   unsigned int kflags,
+					   krb5_db_entry **kentry);
+
+krb5_error_code kdb_samba_db_put_principal(krb5_context context,
+					   krb5_db_entry *entry,
+					   char **db_args);
+
+krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
+					      krb5_const_principal princ);
+
+krb5_error_code kdb_samba_db_iterate(krb5_context context,
+				     char *match_entry,
+				     int (*func)(krb5_pointer, krb5_db_entry *),
+				     krb5_pointer func_arg,
+				     krb5_flags iterflags);
+
+/* from kdb_samba_masterkey.c */
+
+krb5_error_code kdb_samba_fetch_master_key(krb5_context context,
+					   krb5_principal name,
+					   krb5_keyblock *key,
+					   krb5_kvno *kvno,
+					   char *db_args);
+
+krb5_error_code kdb_samba_fetch_master_key_list(krb5_context context,
+						krb5_principal mname,
+						const krb5_keyblock *key,
+						krb5_keylist_node **mkeys_list);
+
+/* from kdb_samba_pac.c */
+
+krb5_error_code kdb_samba_dbekd_decrypt_key_data(krb5_context context,
+						 const krb5_keyblock *mkey,
+						 const krb5_key_data *key_data,
+						 krb5_keyblock *kkey,
+						 krb5_keysalt *keysalt);
+
+krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
+						 const krb5_keyblock *mkey,
+						 const krb5_keyblock *kkey,
+						 const krb5_keysalt *keysalt,
+						 int keyver,
+						 krb5_key_data *key_data);
+
+/* from kdb_samba_policies.c */
+krb5_error_code kdb_samba_db_issue_pac(krb5_context context,
+				       unsigned int flags,
+				       krb5_db_entry *client,
+				       krb5_keyblock *replaced_reply_key,
+				       krb5_db_entry *server,
+				       krb5_db_entry *signing_krbtgt,
+				       krb5_timestamp authtime,
+				       krb5_pac old_pac,
+				       krb5_pac new_pac,
+				       krb5_data ***auth_indicators);
+
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+					    unsigned int flags,
+					    krb5_const_principal client_princ,
+					    krb5_const_principal server_princ,
+					    krb5_db_entry *client,
+					    krb5_db_entry *server,
+					    krb5_db_entry *krbtgt,
+					    krb5_db_entry *local_krbtgt,
+					    krb5_keyblock *client_key,
+					    krb5_keyblock *server_key,
+					    krb5_keyblock *krbtgt_key,
+					    krb5_keyblock *local_krbtgt_key,
+					    krb5_keyblock *session_key,
+					    krb5_timestamp authtime,
+					    krb5_authdata **tgt_auth_data,
+					    void *authdata_info,
+					    krb5_data ***auth_indicators,
+					    krb5_authdata ***signed_auth_data);
+
+krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
+					     krb5_kdc_req *kdcreq,
+					     krb5_db_entry *client,
+					     krb5_db_entry *server,
+					     krb5_timestamp kdc_time,
+					     const char **status,
+					     krb5_pa_data ***e_data_out);
+
+krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
+						       krb5_const_principal client,
+						       const krb5_db_entry *server,
+						       krb5_const_principal proxy);
+
+krb5_error_code kdb_samba_db_allowed_to_delegate_from(
+		krb5_context context,
+		krb5_const_principal client,
+		krb5_const_principal server,
+		krb5_pac header_pac,
+		const krb5_db_entry *proxy);
+
+void kdb_samba_db_audit_as_req(krb5_context kcontext,
+			       krb5_kdc_req *request,
+			       const krb5_address *local_addr,
+			       const krb5_address *remote_addr,
+			       krb5_db_entry *client,
+			       krb5_db_entry *server,
+			       krb5_timestamp authtime,
+			       krb5_error_code error_code);
+
+/* from kdb_samba_change_pwd.c */
+
+krb5_error_code kdb_samba_change_pwd(krb5_context context,
+				     krb5_keyblock *master_key,
+				     krb5_key_salt_tuple *ks_tuple,
+				     int ks_tuple_count, char *passwd,
+				     int new_kvno, krb5_boolean keepold,
+				     krb5_db_entry *db_entry);
+
+#endif /* _KDB_SAMBA_H_ */
diff --git a/source4/kdc/mit-kdb/kdb_samba_change_pwd.c b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c
new file mode 100644
index 0000000..ad7bb5d
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_change_pwd.c
@@ -0,0 +1,59 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2010      Simo Sorce <idra@samba.org>.
+   Copyright (c) 2014      Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+krb5_error_code kdb_samba_change_pwd(krb5_context context,
+				     krb5_keyblock *master_key,
+				     krb5_key_salt_tuple *ks_tuple,
+				     int ks_tuple_count, char *passwd,
+				     int new_kvno, krb5_boolean keepold,
+				     krb5_db_entry *db_entry)
+{
+	struct mit_samba_context *mit_ctx;
+	krb5_error_code code;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	code = mit_samba_kpasswd_change_password(mit_ctx, passwd, db_entry);
+	if (code != 0) {
+		goto cleanup;
+	}
+
+cleanup:
+
+	return code;
+}
diff --git a/source4/kdc/mit-kdb/kdb_samba_common.c b/source4/kdc/mit-kdb/kdb_samba_common.c
new file mode 100644
index 0000000..5ba845e
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_common.c
@@ -0,0 +1,103 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2010      Simo Sorce <idra@samba.org>.
+   Copyright (c) 2014      Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+struct mit_samba_context *ks_get_context(krb5_context kcontext)
+{
+	struct mit_samba_context *mit_ctx = NULL;
+	void *db_ctx = NULL;
+	krb5_error_code code;
+
+	code = krb5_db_get_context(kcontext, &db_ctx);
+	if (code != 0) {
+		return NULL;
+	}
+
+	mit_ctx = talloc_get_type_abort(db_ctx, struct mit_samba_context);
+
+	/*
+	 * This is nomrally the starting point for Kerberos operations in
+	 * MIT KRB5, so reset errno to 0 for possible com_err debug messages.
+	 */
+	errno = 0;
+
+	return mit_ctx;
+}
+
+bool ks_data_eq_string(krb5_data d, const char *s)
+{
+	int rc;
+
+	if (d.length != strlen(s) || d.length == 0) {
+		return false;
+	}
+
+	rc = memcmp(d.data, s, d.length);
+	if (rc != 0) {
+		return false;
+	}
+
+	return true;
+}
+
+krb5_boolean ks_is_kadmin(krb5_context context,
+			  krb5_const_principal princ)
+{
+	return krb5_princ_size(context, princ) >= 1 &&
+	       ks_data_eq_string(princ->data[0], "kadmin");
+}
+
+krb5_boolean ks_is_kadmin_history(krb5_context context,
+				  krb5_const_principal princ)
+{
+	return krb5_princ_size(context, princ) == 2 &&
+	       ks_data_eq_string(princ->data[0], "kadmin") &&
+	       ks_data_eq_string(princ->data[1], "history");
+}
+
+krb5_boolean ks_is_kadmin_changepw(krb5_context context,
+				   krb5_const_principal princ)
+{
+	return krb5_princ_size(context, princ) == 2 &&
+	       ks_data_eq_string(princ->data[0], "kadmin") &&
+	       ks_data_eq_string(princ->data[1], "changepw");
+}
+
+krb5_boolean ks_is_kadmin_admin(krb5_context context,
+				krb5_const_principal princ)
+{
+	return krb5_princ_size(context, princ) == 2 &&
+	       ks_data_eq_string(princ->data[0], "kadmin") &&
+	       ks_data_eq_string(princ->data[1], "admin");
+}
diff --git a/source4/kdc/mit-kdb/kdb_samba_masterkey.c b/source4/kdc/mit-kdb/kdb_samba_masterkey.c
new file mode 100644
index 0000000..b068d96
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_masterkey.c
@@ -0,0 +1,69 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2010      Simo Sorce <idra@samba.org>.
+   Copyright (c) 2014      Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+krb5_error_code kdb_samba_fetch_master_key(krb5_context context,
+					   krb5_principal name,
+					   krb5_keyblock *key,
+					   krb5_kvno *kvno,
+					   char *db_args)
+{
+	return 0;
+}
+
+krb5_error_code kdb_samba_fetch_master_key_list(krb5_context context,
+						krb5_principal mname,
+						const krb5_keyblock *key,
+						krb5_keylist_node **mkeys_list)
+{
+	krb5_keylist_node *mkey;
+
+	/*
+	 * NOTE: samba does not support master keys
+	 *       so just return a dummy key
+	 */
+	mkey = calloc(1, sizeof(krb5_keylist_node));
+	if (mkey == NULL) {
+		return ENOMEM;
+	}
+
+	mkey->keyblock.magic = KV5M_KEYBLOCK;
+	mkey->keyblock.enctype = ENCTYPE_UNKNOWN;
+	mkey->kvno = 1;
+
+	*mkeys_list = mkey;
+
+	return 0;
+}
diff --git a/source4/kdc/mit-kdb/kdb_samba_pac.c b/source4/kdc/mit-kdb/kdb_samba_pac.c
new file mode 100644
index 0000000..75b05a6
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_pac.c
@@ -0,0 +1,115 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2010      Simo Sorce <idra@samba.org>.
+   Copyright (c) 2014      Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+krb5_error_code kdb_samba_dbekd_decrypt_key_data(krb5_context context,
+						 const krb5_keyblock *mkey,
+						 const krb5_key_data *key_data,
+						 krb5_keyblock *kkey,
+						 krb5_keysalt *keysalt)
+{
+	/*
+	 * NOTE: Samba doesn't use a master key, so we will just copy
+	 * the contents around untouched.
+	 */
+	ZERO_STRUCTP(kkey);
+
+	kkey->magic = KV5M_KEYBLOCK;
+	kkey->enctype = key_data->key_data_type[0];
+	kkey->contents = malloc(key_data->key_data_length[0]);
+	if (kkey->contents == NULL) {
+		return ENOMEM;
+	}
+	memcpy(kkey->contents,
+	       key_data->key_data_contents[0],
+	       key_data->key_data_length[0]);
+	kkey->length = key_data->key_data_length[0];
+
+	if (keysalt != NULL) {
+		keysalt->type = key_data->key_data_type[1];
+		keysalt->data.data = malloc(key_data->key_data_length[1]);
+		if (keysalt->data.data == NULL) {
+			free(kkey->contents);
+			return ENOMEM;
+		}
+		memcpy(keysalt->data.data,
+		       key_data->key_data_contents[1],
+		       key_data->key_data_length[1]);
+		keysalt->data.length = key_data->key_data_length[1];
+	}
+
+	return 0;
+}
+
+krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
+						 const krb5_keyblock *mkey,
+						 const krb5_keyblock *kkey,
+						 const krb5_keysalt *keysalt,
+						 int keyver,
+						 krb5_key_data *key_data)
+{
+	/*
+	 * NOTE: samba doesn't use a master key, so we will just copy
+	 * the contents around untouched.
+	 */
+
+	ZERO_STRUCTP(key_data);
+
+	key_data->key_data_ver = KRB5_KDB_V1_KEY_DATA_ARRAY;
+	key_data->key_data_kvno = keyver;
+	key_data->key_data_type[0] = kkey->enctype;
+	key_data->key_data_contents[0] = malloc(kkey->length);
+	if (key_data->key_data_contents[0] == NULL) {
+		return ENOMEM;
+	}
+	memcpy(key_data->key_data_contents[0],
+	       kkey->contents,
+	       kkey->length);
+	key_data->key_data_length[0] = kkey->length;
+
+	if (keysalt != NULL) {
+		key_data->key_data_type[1] = keysalt->type;
+		key_data->key_data_contents[1] = malloc(keysalt->data.length);
+		if (key_data->key_data_contents[1] == NULL) {
+			free(key_data->key_data_contents[0]);
+			return ENOMEM;
+		}
+		memcpy(key_data->key_data_contents[1],
+		       keysalt->data.data,
+		       keysalt->data.length);
+		key_data->key_data_length[1] = keysalt->data.length;
+	}
+
+	return 0;
+}
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
new file mode 100644
index 0000000..56bd0dd
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -0,0 +1,397 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2010      Simo Sorce <idra@samba.org>.
+   Copyright (c) 2014-2021 Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "lib/replace/replace.h"
+#include "lib/replace/system/kerberos.h"
+#include "lib/util/data_blob.h"
+#include "lib/util/debug.h"
+#include "lib/util/fault.h"
+#include "lib/util/memory.h"
+#include "libcli/util/ntstatus.h"
+#include "lib/krb5_wrap/krb5_samba.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+/* FIXME: This is a krb5 function which is exported, but in no header */
+extern krb5_error_code decode_krb5_padata_sequence(const krb5_data *output,
+						   krb5_pa_data ***rep);
+
+static krb5_error_code ks_get_netbios_name(krb5_address **addrs, char **name)
+{
+	char *nb_name = NULL;
+	int len, i;
+
+	for (i = 0; addrs[i]; i++) {
+		if (addrs[i]->addrtype != ADDRTYPE_NETBIOS) {
+			continue;
+		}
+		len = MIN(addrs[i]->length, 15);
+		nb_name = strndup((const char *)addrs[i]->contents, len);
+		if (!nb_name) {
+			return ENOMEM;
+		}
+		break;
+	}
+
+	if (nb_name) {
+		/* Strip space padding */
+		i = strlen(nb_name) - 1;
+		for (i = strlen(nb_name) - 1;
+		     i > 0 && nb_name[i] == ' ';
+		     i--) {
+			nb_name[i] = '\0';
+		}
+	}
+
+	*name = nb_name;
+
+	return 0;
+}
+
+krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
+					     krb5_kdc_req *kdcreq,
+					     krb5_db_entry *client,
+					     krb5_db_entry *server,
+					     krb5_timestamp kdc_time,
+					     const char **status,
+					     krb5_pa_data ***e_data_out)
+{
+	struct mit_samba_context *mit_ctx;
+	krb5_error_code code;
+	char *client_name = NULL;
+	char *server_name = NULL;
+	char *netbios_name = NULL;
+	char *realm = NULL;
+	bool password_change = false;
+	krb5_const_principal client_princ;
+	DATA_BLOB int_data = { NULL, 0 };
+	krb5_data d;
+	krb5_pa_data **e_data;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	/* Prefer canonicalised name from client entry */
+	client_princ = client ? client->princ : kdcreq->client;
+
+	if (client_princ == NULL || ks_is_kadmin(context, client_princ)) {
+		return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+	}
+
+	if (krb5_princ_size(context, kdcreq->server) == 2 &&
+	    ks_is_kadmin_changepw(context, kdcreq->server)) {
+		code = krb5_get_default_realm(context, &realm);
+		if (code) {
+			goto done;
+		}
+
+		if (ks_data_eq_string(kdcreq->server->realm, realm)) {
+			password_change = true;
+		}
+	}
+
+	code = krb5_unparse_name(context, kdcreq->server, &server_name);
+	if (code) {
+		goto done;
+	}
+
+	code = krb5_unparse_name(context, client_princ, &client_name);
+	if (code) {
+		goto done;
+	}
+
+	if (kdcreq->addresses) {
+		code = ks_get_netbios_name(kdcreq->addresses, &netbios_name);
+		if (code) {
+			goto done;
+		}
+	}
+
+	code = mit_samba_check_client_access(mit_ctx,
+					     client,
+					     client_name,
+					     server,
+					     server_name,
+					     netbios_name,
+					     password_change,
+					     &int_data);
+
+	if (int_data.length && int_data.data) {
+
+		/* make sure the mapped return code is returned - gd */
+		int code_tmp;
+
+		d = smb_krb5_data_from_blob(int_data);
+
+		code_tmp = decode_krb5_padata_sequence(&d, &e_data);
+		if (code_tmp == 0) {
+			*e_data_out = e_data;
+		}
+	}
+done:
+	free(realm);
+	free(server_name);
+	free(client_name);
+	free(netbios_name);
+
+	return code;
+}
+
+static krb5_error_code ks_get_pac(krb5_context context,
+				  uint32_t flags,
+				  krb5_db_entry *client,
+				  krb5_db_entry *server,
+				  krb5_keyblock *client_key,
+				  krb5_pac *pac)
+{
+	struct mit_samba_context *mit_ctx;
+	krb5_error_code code;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	code = mit_samba_get_pac(mit_ctx,
+				 context,
+				 flags,
+				 client,
+				 server,
+				 client_key,
+				 pac);
+	if (code != 0) {
+		return code;
+	}
+
+	return code;
+}
+
+static krb5_error_code ks_update_pac(krb5_context context,
+				     int flags,
+				     krb5_db_entry *client,
+				     krb5_db_entry *server,
+				     krb5_db_entry *signing_krbtgt,
+				     krb5_pac old_pac,
+				     krb5_pac new_pac)
+{
+	struct mit_samba_context *mit_ctx = NULL;
+	krb5_error_code code;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	code = mit_samba_update_pac(mit_ctx,
+				    context,
+				    flags,
+				    client,
+				    server,
+				    signing_krbtgt,
+				    old_pac,
+				    new_pac);
+	if (code != 0) {
+		return code;
+	}
+
+	return code;
+}
+
+krb5_error_code kdb_samba_db_issue_pac(krb5_context context,
+				       unsigned int flags,
+				       krb5_db_entry *client,
+				       krb5_keyblock *replaced_reply_key,
+				       krb5_db_entry *server,
+				       krb5_db_entry *signing_krbtgt,
+				       krb5_timestamp authtime,
+				       krb5_pac old_pac,
+				       krb5_pac new_pac,
+				       krb5_data ***auth_indicators)
+{
+	char *client_name = NULL;
+	char *server_name = NULL;
+	krb5_error_code code = EINVAL;
+
+	/* The KDC handles both signing and verification for us. */
+
+	if (client != NULL) {
+		code = krb5_unparse_name(context,
+					 client->princ,
+					 &client_name);
+		if (code != 0) {
+			return code;
+		}
+	}
+
+	if (server != NULL) {
+		code = krb5_unparse_name(context,
+					 server->princ,
+					 &server_name);
+		if (code != 0) {
+			SAFE_FREE(client_name);
+			return code;
+		}
+	}
+
+	/*
+	 * Get a new PAC for AS-REQ or S4U2Self for our realm.
+	 *
+	 * For a simple cross-realm S4U2Proxy there will be the following TGS
+	 * requests after the client realm is identified:
+	 *
+	 * 1. server@SREALM to SREALM for krbtgt/CREALM@SREALM -- a regular TGS
+	 *    request with server's normal TGT and no S4U2Self padata.
+	 * 2. server@SREALM to CREALM for server@SREALM (expressed as an
+	 *    enterprise principal), with the TGT from #1 as header ticket and
+	 *    S4U2Self padata identifying the client.
+	 * 3. server@SREALM to SREALM for server@SREALM with S4U2Self padata,
+	 *    with the referral TGT from #2 as header ticket
+	 *
+	 * In request 2 the PROTOCOL_TRANSITION and CROSS_REALM flags are set,
+	 * and the request is for a local client (so client != NULL) and we
+	 * want to make a new PAC.
+	 *
+	 * In request 3 the PROTOCOL_TRANSITION and CROSS_REALM flags are also
+	 * set, but the request is for a non-local client (so client == NULL)
+	 * and we want to copy the subject PAC contained in the referral TGT.
+	 */
+	if (old_pac == NULL ||
+	    (client != NULL && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION))) {
+		DBG_NOTICE("Generate PAC for AS-REQ [client=%s, flags=%#08x]\n",
+			   client_name != NULL ? client_name : "<unknown>",
+			   flags);
+
+		code = ks_get_pac(context,
+				  flags,
+				  client,
+				  server,
+				  replaced_reply_key,
+				  &new_pac);
+	} else {
+		DBG_NOTICE("Update PAC for TGS-REQ [client=%s, server=%s, "
+			   "flags=%#08x]\n",
+			   client_name != NULL ? client_name : "<unknown>",
+			   server_name != NULL ? server_name : "<unknown>",
+			   flags);
+
+		code = ks_update_pac(context,
+				flags,
+				client,
+				server,
+				signing_krbtgt,
+				old_pac,
+				new_pac);
+	}
+	SAFE_FREE(client_name);
+	SAFE_FREE(server_name);
+
+	return code;
+}
+
+krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
+						       krb5_const_principal client,
+						       const krb5_db_entry *server,
+						       krb5_const_principal proxy)
+{
+	struct mit_samba_context *mit_ctx = NULL;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	return mit_samba_check_s4u2proxy(mit_ctx,
+					 server,
+					 proxy);
+
+}
+
+
+krb5_error_code kdb_samba_db_allowed_to_delegate_from(
+		krb5_context context,
+		krb5_const_principal client_principal,
+		krb5_const_principal server_principal,
+		krb5_pac header_pac,
+		const krb5_db_entry *proxy)
+{
+	struct mit_samba_context *mit_ctx = NULL;
+	krb5_error_code code;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	code = mit_samba_check_allowed_to_delegate_from(mit_ctx,
+							client_principal,
+							server_principal,
+							header_pac,
+							proxy);
+
+	return code;
+}
+
+
+static void samba_bad_password_count(krb5_db_entry *client,
+				     krb5_error_code error_code)
+{
+	switch (error_code) {
+	case 0:
+		mit_samba_zero_bad_password_count(client);
+		break;
+	case KRB5KDC_ERR_PREAUTH_FAILED:
+	case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+		mit_samba_update_bad_password_count(client);
+		break;
+	}
+}
+
+void kdb_samba_db_audit_as_req(krb5_context context,
+			       krb5_kdc_req *request,
+			       const krb5_address *local_addr,
+			       const krb5_address *remote_addr,
+			       krb5_db_entry *client,
+			       krb5_db_entry *server,
+			       krb5_timestamp authtime,
+			       krb5_error_code error_code)
+{
+	/*
+	 * FIXME: This segfaulted with a FAST test
+	 * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0
+	 */
+	if (client == NULL) {
+		return;
+	}
+
+	samba_bad_password_count(client, error_code);
+
+	/* TODO: perform proper audit logging for addresses */
+}
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
new file mode 100644
index 0000000..2726018
--- /dev/null
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -0,0 +1,397 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba KDB plugin for MIT Kerberos
+
+   Copyright (c) 2010      Simo Sorce <idra@samba.org>.
+   Copyright (c) 2014      Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#include "system/kerberos.h"
+
+#include <profile.h>
+#include <kdb.h>
+
+#include "kdc/samba_kdc.h"
+#include "kdc/mit_samba.h"
+#include "kdb_samba.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
+
+krb5_error_code ks_get_principal(krb5_context context,
+				 krb5_const_principal principal,
+				 unsigned int kflags,
+				 krb5_db_entry **kentry)
+{
+	struct mit_samba_context *mit_ctx;
+	krb5_error_code code;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	code = mit_samba_get_principal(mit_ctx,
+				       principal,
+				       kflags,
+				       kentry);
+	if (code != 0) {
+		goto cleanup;
+	}
+
+cleanup:
+
+	return code;
+}
+
+static void ks_free_principal_e_data(krb5_context context, krb5_octet *e_data)
+{
+	struct samba_kdc_entry *skdc_entry;
+
+	skdc_entry = talloc_get_type_abort(e_data,
+					   struct samba_kdc_entry);
+	skdc_entry->kdc_entry = NULL;
+	TALLOC_FREE(skdc_entry);
+}
+
+void ks_free_principal(krb5_context context, krb5_db_entry *entry)
+{
+	krb5_tl_data *tl_data_next = NULL;
+	krb5_tl_data *tl_data = NULL;
+	size_t i, j;
+
+	if (entry != NULL) {
+		krb5_free_principal(context, entry->princ);
+
+		for (tl_data = entry->tl_data; tl_data; tl_data = tl_data_next) {
+			tl_data_next = tl_data->tl_data_next;
+			if (tl_data->tl_data_contents != NULL) {
+				free(tl_data->tl_data_contents);
+			}
+			free(tl_data);
+		}
+
+		if (entry->key_data != NULL) {
+			for (i = 0; i < entry->n_key_data; i++) {
+				for (j = 0; j < entry->key_data[i].key_data_ver; j++) {
+					if (entry->key_data[i].key_data_length[j] != 0) {
+						if (entry->key_data[i].key_data_contents[j] != NULL) {
+							memset(entry->key_data[i].key_data_contents[j], 0, entry->key_data[i].key_data_length[j]);
+							free(entry->key_data[i].key_data_contents[j]);
+						}
+					}
+					entry->key_data[i].key_data_contents[j] = NULL;
+					 entry->key_data[i].key_data_length[j] = 0;
+					 entry->key_data[i].key_data_type[j] = 0;
+				}
+			}
+			free(entry->key_data);
+		}
+
+		if (entry->e_data) {
+			ks_free_principal_e_data(context, entry->e_data);
+		}
+
+		free(entry);
+	}
+}
+
+static krb5_boolean ks_is_master_key_principal(krb5_context context,
+					       krb5_const_principal princ)
+{
+	return krb5_princ_size(context, princ) == 2 &&
+	       ks_data_eq_string(princ->data[0], "K") &&
+	       ks_data_eq_string(princ->data[1], "M");
+}
+
+static krb5_error_code ks_get_master_key_principal(krb5_context context,
+						   krb5_const_principal princ,
+						   krb5_db_entry **kentry_ptr)
+{
+	krb5_error_code code;
+	krb5_key_data *key_data;
+	krb5_timestamp now;
+	krb5_db_entry *kentry;
+
+	*kentry_ptr = NULL;
+
+	kentry = calloc(1, sizeof(krb5_db_entry));
+	if (kentry == NULL) {
+		return ENOMEM;
+	}
+
+	kentry->magic = KRB5_KDB_MAGIC_NUMBER;
+	kentry->len = KRB5_KDB_V1_BASE_LENGTH;
+	kentry->attributes = KRB5_KDB_DISALLOW_ALL_TIX;
+
+	if (princ == NULL) {
+		code = krb5_parse_name(context, KRB5_KDB_M_NAME, &kentry->princ);
+	} else {
+		code = krb5_copy_principal(context, princ, &kentry->princ);
+	}
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	now = time(NULL);
+
+	code = krb5_dbe_update_mod_princ_data(context, kentry, now, kentry->princ);
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	/* Return a dummy key */
+	kentry->n_key_data = 1;
+	kentry->key_data = calloc(1, sizeof(krb5_key_data));
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	key_data = &kentry->key_data[0];
+
+	key_data->key_data_ver          = KRB5_KDB_V1_KEY_DATA_ARRAY;
+	key_data->key_data_kvno         = 1;
+	key_data->key_data_type[0]      = ENCTYPE_UNKNOWN;
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	*kentry_ptr = kentry;
+
+	return 0;
+}
+
+static krb5_error_code ks_create_principal(krb5_context context,
+					   krb5_const_principal princ,
+					   int attributes,
+					   int max_life,
+					   const char *password,
+					   krb5_db_entry **kentry_ptr)
+{
+	krb5_error_code code;
+	krb5_key_data *key_data;
+	krb5_timestamp now;
+	krb5_db_entry *kentry;
+	krb5_keyblock key;
+	krb5_data salt;
+	krb5_data pwd;
+	int enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+	int sts = KRB5_KDB_SALTTYPE_SPECIAL;
+
+	if (princ == NULL) {
+		return KRB5_KDB_NOENTRY;
+	}
+
+	*kentry_ptr = NULL;
+
+	kentry = calloc(1, sizeof(krb5_db_entry));
+	if (kentry == NULL) {
+		return ENOMEM;
+	}
+
+	kentry->magic = KRB5_KDB_MAGIC_NUMBER;
+	kentry->len = KRB5_KDB_V1_BASE_LENGTH;
+
+	if (attributes > 0) {
+		kentry->attributes = attributes;
+	}
+
+	if (max_life > 0) {
+		kentry->max_life = max_life;
+	}
+
+	code = krb5_copy_principal(context, princ, &kentry->princ);
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	now = time(NULL);
+
+	code = krb5_dbe_update_mod_princ_data(context, kentry, now, kentry->princ);
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	code = mit_samba_generate_salt(&salt);
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	if (password != NULL) {
+		pwd.data = strdup(password);
+		pwd.length = strlen(password);
+	} else {
+		/* create a random password */
+		code = mit_samba_generate_random_password(&pwd);
+		if (code != 0) {
+			krb5_db_free_principal(context, kentry);
+			return code;
+		}
+	}
+
+	code = krb5_c_string_to_key(context, enctype, &pwd, &salt, &key);
+	SAFE_FREE(pwd.data);
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	kentry->n_key_data = 1;
+	kentry->key_data = calloc(1, sizeof(krb5_key_data));
+	if (code != 0) {
+		krb5_db_free_principal(context, kentry);
+		return code;
+	}
+
+	key_data = &kentry->key_data[0];
+
+	key_data->key_data_ver          = KRB5_KDB_V1_KEY_DATA_ARRAY;
+	key_data->key_data_kvno         = 1;
+	key_data->key_data_type[0]      = key.enctype;
+	key_data->key_data_length[0]    = key.length;
+	key_data->key_data_contents[0]  = key.contents;
+	key_data->key_data_type[1]      = sts;
+	key_data->key_data_length[1]    = salt.length;
+	key_data->key_data_contents[1]  = (krb5_octet*)salt.data;
+
+	*kentry_ptr = kentry;
+
+	return 0;
+}
+
+static krb5_error_code ks_get_admin_principal(krb5_context context,
+					      krb5_const_principal princ,
+					      krb5_db_entry **kentry_ptr)
+{
+	krb5_error_code code = EINVAL;
+
+	code = ks_create_principal(context,
+				   princ,
+				   KRB5_KDB_DISALLOW_TGT_BASED,
+				   ADMIN_LIFETIME,
+				   NULL,
+				   kentry_ptr);
+
+	return code;
+}
+
+krb5_error_code kdb_samba_db_get_principal(krb5_context context,
+					   krb5_const_principal princ,
+					   unsigned int kflags,
+					   krb5_db_entry **kentry)
+{
+	struct mit_samba_context *mit_ctx;
+	krb5_error_code code;
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	if (ks_is_master_key_principal(context, princ)) {
+		return ks_get_master_key_principal(context, princ, kentry);
+	}
+
+	/*
+	 * Fake a kadmin/admin and kadmin/history principal so that kadmindd can
+	 * start
+	 */
+	if (ks_is_kadmin_admin(context, princ) ||
+	    ks_is_kadmin_history(context, princ)) {
+		return ks_get_admin_principal(context, princ, kentry);
+	}
+
+	code = ks_get_principal(context, princ, kflags, kentry);
+
+	/*
+	 * This restricts the changepw account so it isn't able to request a
+	 * service ticket. It also marks the principal as the changepw service.
+	 */
+	if (ks_is_kadmin_changepw(context, princ)) {
+		/* FIXME: shouldn't we also set KRB5_KDB_DISALLOW_TGT_BASED ?
+		 * testing showed that setpw kpasswd command fails then on the
+		 * server though... */
+		(*kentry)->attributes |= KRB5_KDB_PWCHANGE_SERVICE;
+		(*kentry)->max_life = CHANGEPW_LIFETIME;
+	}
+
+	return code;
+}
+
+krb5_error_code kdb_samba_db_put_principal(krb5_context context,
+					   krb5_db_entry *entry,
+					   char **db_args)
+{
+
+	/* NOTE: deferred, samba does not allow the KDC to store
+	 * principals for now. We should not return KRB5_KDB_DB_INUSE as this
+	 * would result in confusing error messages after password changes. */
+	return 0;
+}
+
+krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
+					      krb5_const_principal princ)
+{
+
+	/* NOTE: deferred, samba does not allow the KDC to delete
+	 * principals for now */
+	return KRB5_KDB_DB_INUSE;
+}
+
+krb5_error_code kdb_samba_db_iterate(krb5_context context,
+				     char *match_entry,
+				     int (*func)(krb5_pointer, krb5_db_entry *),
+				     krb5_pointer func_arg,
+				     krb5_flags iterflags)
+{
+	struct mit_samba_context *mit_ctx;
+	krb5_db_entry *kentry = NULL;
+	krb5_error_code code;
+
+
+	mit_ctx = ks_get_context(context);
+	if (mit_ctx == NULL) {
+		return KRB5_KDB_DBNOTINITED;
+	}
+
+	code = mit_samba_get_firstkey(mit_ctx, &kentry);
+	while (code == 0) {
+		code = (*func)(func_arg, kentry);
+		if (code != 0) {
+			break;
+		}
+
+		code = mit_samba_get_nextkey(mit_ctx, &kentry);
+	}
+
+	if (code == KRB5_KDB_NOENTRY) {
+		code = 0;
+	}
+
+	return code;
+}
diff --git a/source4/kdc/mit-kdb/wscript_build b/source4/kdc/mit-kdb/wscript_build
new file mode 100644
index 0000000..82cea4a
--- /dev/null
+++ b/source4/kdc/mit-kdb/wscript_build
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+
+bld.SAMBA_LIBRARY('mit-kdb-samba',
+                  source='''
+                         kdb_samba.c
+                         kdb_samba_common.c
+                         kdb_samba_masterkey.c
+                         kdb_samba_pac.c
+                         kdb_samba_policies.c
+                         kdb_samba_principals.c
+                         kdb_samba_change_pwd.c
+                         ''',
+                  private_library=True,
+                  realname='samba.so',
+                  install_path='${LIBDIR}/krb5/plugins/kdb',
+                  deps='''
+                       MIT_SAMBA
+                       com_err
+                       krb5
+                       kdb5
+                       ''',
+                  enabled=bld.CONFIG_SET('HAVE_KDB_H'))