2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "../libds/common/flags.h"
27 #include "auth/auth.h"
28 #include "auth/auth_sam_reply.h"
29 #include "system/kerberos.h"
30 #include "auth/kerberos/kerberos.h"
31 #include "kdc/samba_kdc.h"
32 #include "kdc/pac-glue.h"
33 #include "param/param.h"
34 #include "librpc/gen_ndr/ndr_krb5pac.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "auth/kerberos/pac_utils.h"
40 NTSTATUS
samba_get_logon_info_pac_blob(TALLOC_CTX
*mem_ctx
,
41 const struct auth_user_info_dc
*info
,
44 struct netr_SamInfo3
*info3
;
45 union PAC_INFO pac_info
;
46 enum ndr_err_code ndr_err
;
49 ZERO_STRUCT(pac_info
);
51 *pac_data
= data_blob_null
;
53 nt_status
= auth_convert_user_info_dc_saminfo3(mem_ctx
, info
, &info3
);
54 if (!NT_STATUS_IS_OK(nt_status
)) {
55 DEBUG(1, ("Getting Samba info failed: %s\n",
56 nt_errstr(nt_status
)));
60 pac_info
.logon_info
.info
= talloc_zero(mem_ctx
, struct PAC_LOGON_INFO
);
61 if (!pac_info
.logon_info
.info
) {
62 return NT_STATUS_NO_MEMORY
;
65 pac_info
.logon_info
.info
->info3
= *info3
;
67 ndr_err
= ndr_push_union_blob(pac_data
, mem_ctx
, &pac_info
,
69 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
70 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
71 nt_status
= ndr_map_error2ntstatus(ndr_err
);
72 DEBUG(1, ("PAC_LOGON_INFO (presig) push failed: %s\n",
73 nt_errstr(nt_status
)));
81 NTSTATUS
samba_get_cred_info_ndr_blob(TALLOC_CTX
*mem_ctx
,
82 const struct ldb_message
*msg
,
85 enum ndr_err_code ndr_err
;
88 static const struct samr_Password zero_hash
;
89 struct samr_Password
*lm_hash
= NULL
;
90 struct samr_Password
*nt_hash
= NULL
;
91 struct PAC_CREDENTIAL_NTLM_SECPKG ntlm_secpkg
= {
94 DATA_BLOB ntlm_blob
= data_blob_null
;
95 struct PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG secpkgs
[1] = {{
98 struct PAC_CREDENTIAL_DATA cred_data
= {
99 .credential_count
= 0,
101 struct PAC_CREDENTIAL_DATA_NDR cred_ndr
;
103 ZERO_STRUCT(cred_ndr
);
105 *cred_blob
= data_blob_null
;
107 lm_hash
= samdb_result_hash(mem_ctx
, msg
, "dBCSPwd");
108 if (lm_hash
!= NULL
) {
109 ret
= memcmp(lm_hash
->hash
, zero_hash
.hash
, 16);
114 if (lm_hash
!= NULL
) {
115 DEBUG(5, ("Passing LM password hash through credentials set\n"));
116 ntlm_secpkg
.flags
|= PAC_CREDENTIAL_NTLM_HAS_LM_HASH
;
117 ntlm_secpkg
.lm_password
= *lm_hash
;
118 ZERO_STRUCTP(lm_hash
);
119 TALLOC_FREE(lm_hash
);
122 nt_hash
= samdb_result_hash(mem_ctx
, msg
, "unicodePwd");
123 if (nt_hash
!= NULL
) {
124 ret
= memcmp(nt_hash
->hash
, zero_hash
.hash
, 16);
129 if (nt_hash
!= NULL
) {
130 DEBUG(5, ("Passing LM password hash through credentials set\n"));
131 ntlm_secpkg
.flags
|= PAC_CREDENTIAL_NTLM_HAS_NT_HASH
;
132 ntlm_secpkg
.nt_password
= *nt_hash
;
133 ZERO_STRUCTP(nt_hash
);
134 TALLOC_FREE(nt_hash
);
137 if (ntlm_secpkg
.flags
== 0) {
141 #ifdef DEBUG_PASSWORD
143 NDR_PRINT_DEBUG(PAC_CREDENTIAL_NTLM_SECPKG
, &ntlm_secpkg
);
147 ndr_err
= ndr_push_struct_blob(&ntlm_blob
, mem_ctx
, &ntlm_secpkg
,
148 (ndr_push_flags_fn_t
)ndr_push_PAC_CREDENTIAL_NTLM_SECPKG
);
149 ZERO_STRUCT(ntlm_secpkg
);
150 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
151 nt_status
= ndr_map_error2ntstatus(ndr_err
);
152 DEBUG(1, ("PAC_CREDENTIAL_NTLM_SECPKG (presig) push failed: %s\n",
153 nt_errstr(nt_status
)));
157 DEBUG(10, ("NTLM credential BLOB (len %zu) for user\n",
159 dump_data_pw("PAC_CREDENTIAL_NTLM_SECPKG",
160 ntlm_blob
.data
, ntlm_blob
.length
);
162 secpkgs
[0].package_name
.string
= discard_const_p(char, "NTLM");
163 secpkgs
[0].credential_size
= ntlm_blob
.length
;
164 secpkgs
[0].credential
= ntlm_blob
.data
;
166 cred_data
.credential_count
= ARRAY_SIZE(secpkgs
);
167 cred_data
.credentials
= secpkgs
;
169 #ifdef DEBUG_PASSWORD
171 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA
, &cred_data
);
175 cred_ndr
.ctr
.data
= &cred_data
;
177 #ifdef DEBUG_PASSWORD
179 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA_NDR
, &cred_ndr
);
183 ndr_err
= ndr_push_struct_blob(cred_blob
, mem_ctx
, &cred_ndr
,
184 (ndr_push_flags_fn_t
)ndr_push_PAC_CREDENTIAL_DATA_NDR
);
185 data_blob_clear(&ntlm_blob
);
186 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
187 nt_status
= ndr_map_error2ntstatus(ndr_err
);
188 DEBUG(1, ("PAC_CREDENTIAL_DATA_NDR (presig) push failed: %s\n",
189 nt_errstr(nt_status
)));
193 DEBUG(10, ("Created credential BLOB (len %zu) for user\n",
195 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
196 cred_blob
->data
, cred_blob
->length
);
201 krb5_error_code
samba_kdc_encrypt_pac_credentials(krb5_context context
,
202 const krb5_keyblock
*pkreplykey
,
203 const DATA_BLOB
*cred_ndr_blob
,
205 DATA_BLOB
*cred_info_blob
)
207 krb5_crypto cred_crypto
;
208 krb5_enctype cred_enctype
;
209 krb5_data cred_ndr_crypt
;
210 struct PAC_CREDENTIAL_INFO pac_cred_info
= { .version
= 0, };
213 enum ndr_err_code ndr_err
;
216 *cred_info_blob
= data_blob_null
;
218 ret
= krb5_crypto_init(context
, pkreplykey
, ETYPE_NULL
,
221 krb5err
= krb5_get_error_message(context
, ret
);
222 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err
));
223 krb5_free_error_message(context
, krb5err
);
227 ret
= krb5_crypto_getenctype(context
, cred_crypto
, &cred_enctype
);
229 DEBUG(1, ("Failed getting crypto type for key\n"));
230 krb5_crypto_destroy(context
, cred_crypto
);
234 DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
235 cred_ndr_blob
->length
));
236 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
237 cred_ndr_blob
->data
, cred_ndr_blob
->length
);
239 ret
= krb5_encrypt(context
, cred_crypto
,
240 KRB5_KU_OTHER_ENCRYPTED
,
241 cred_ndr_blob
->data
, cred_ndr_blob
->length
,
243 krb5_crypto_destroy(context
, cred_crypto
);
245 krb5err
= krb5_get_error_message(context
, ret
);
246 DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err
));
247 krb5_free_error_message(context
, krb5err
);
251 pac_cred_info
.encryption_type
= cred_enctype
;
252 pac_cred_info
.encrypted_data
.length
= cred_ndr_crypt
.length
;
253 pac_cred_info
.encrypted_data
.data
= (uint8_t *)cred_ndr_crypt
.data
;
256 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO
, &pac_cred_info
);
259 ndr_err
= ndr_push_struct_blob(cred_info_blob
, mem_ctx
, &pac_cred_info
,
260 (ndr_push_flags_fn_t
)ndr_push_PAC_CREDENTIAL_INFO
);
261 krb5_data_free(&cred_ndr_crypt
);
262 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
263 nt_status
= ndr_map_error2ntstatus(ndr_err
);
264 DEBUG(1, ("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
265 nt_errstr(nt_status
)));
266 return KRB5KDC_ERR_SVC_UNAVAILABLE
;
269 DEBUG(10, ("Encrypted credential BLOB (len %zu) with alg %d\n",
270 cred_info_blob
->length
, (int)pac_cred_info
.encryption_type
));
271 dump_data_pw("PAC_CREDENTIAL_INFO",
272 cred_info_blob
->data
, cred_info_blob
->length
);
277 krb5_error_code
samba_make_krb5_pac(krb5_context context
,
278 const DATA_BLOB
*logon_blob
,
279 const DATA_BLOB
*cred_blob
,
280 const DATA_BLOB
*deleg_blob
,
283 krb5_data logon_data
;
285 krb5_data deleg_data
;
289 ZERO_STRUCT(null_data
);
291 /* The user account may be set not to want the PAC */
292 if (logon_blob
== NULL
) {
296 ret
= krb5_copy_data_contents(&logon_data
,
303 ZERO_STRUCT(cred_data
);
304 if (cred_blob
!= NULL
) {
305 ret
= krb5_copy_data_contents(&cred_data
,
309 kerberos_free_data_contents(context
, &logon_data
);
314 ZERO_STRUCT(deleg_data
);
315 if (deleg_blob
!= NULL
) {
316 ret
= krb5_copy_data_contents(&deleg_data
,
320 kerberos_free_data_contents(context
, &logon_data
);
321 kerberos_free_data_contents(context
, &cred_data
);
326 ret
= krb5_pac_init(context
, pac
);
328 kerberos_free_data_contents(context
, &logon_data
);
329 kerberos_free_data_contents(context
, &cred_data
);
330 kerberos_free_data_contents(context
, &deleg_data
);
334 ret
= krb5_pac_add_buffer(context
, *pac
, PAC_TYPE_LOGON_INFO
, &logon_data
);
335 kerberos_free_data_contents(context
, &logon_data
);
337 kerberos_free_data_contents(context
, &cred_data
);
338 kerberos_free_data_contents(context
, &deleg_data
);
342 if (cred_blob
!= NULL
) {
343 ret
= krb5_pac_add_buffer(context
, *pac
,
344 PAC_TYPE_CREDENTIAL_INFO
,
346 kerberos_free_data_contents(context
, &cred_data
);
348 kerberos_free_data_contents(context
, &deleg_data
);
353 if (deleg_blob
!= NULL
) {
354 ret
= krb5_pac_add_buffer(context
, *pac
,
355 PAC_TYPE_CONSTRAINED_DELEGATION
,
357 kerberos_free_data_contents(context
, &deleg_data
);
366 bool samba_princ_needs_pac(struct samba_kdc_entry
*skdc_entry
)
369 uint32_t userAccountControl
;
371 /* The service account may be set not to want the PAC */
372 userAccountControl
= ldb_msg_find_attr_as_uint(skdc_entry
->msg
, "userAccountControl", 0);
373 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
380 /* Was the krbtgt in this DB (ie, should we check the incoming signature) and was it an RODC */
381 int samba_krbtgt_is_in_db(struct samba_kdc_entry
*p
,
386 int rodc_krbtgt_number
, trust_direction
;
389 TALLOC_CTX
*mem_ctx
= talloc_new(NULL
);
394 trust_direction
= ldb_msg_find_attr_as_int(p
->msg
, "trustDirection", 0);
396 if (trust_direction
!= 0) {
397 /* Domain trust - we cannot check the sig, but we trust it for a correct PAC
399 This is exactly where we should flag for SID
400 validation when we do inter-foreest trusts
402 talloc_free(mem_ctx
);
403 *is_untrusted
= false;
408 /* The lack of password controls etc applies to krbtgt by
409 * virtue of being that particular RID */
410 status
= dom_sid_split_rid(NULL
, samdb_result_dom_sid(mem_ctx
, p
->msg
, "objectSid"), NULL
, &rid
);
412 if (!NT_STATUS_IS_OK(status
)) {
413 talloc_free(mem_ctx
);
417 rodc_krbtgt_number
= ldb_msg_find_attr_as_int(p
->msg
, "msDS-SecondaryKrbTgtNumber", -1);
419 if (p
->kdc_db_ctx
->my_krbtgt_number
== 0) {
420 if (rid
== DOMAIN_RID_KRBTGT
) {
421 *is_untrusted
= false;
423 talloc_free(mem_ctx
);
425 } else if (rodc_krbtgt_number
!= -1) {
427 *is_untrusted
= true;
428 talloc_free(mem_ctx
);
431 } else if ((rid
!= DOMAIN_RID_KRBTGT
) && (rodc_krbtgt_number
== p
->kdc_db_ctx
->my_krbtgt_number
)) {
432 talloc_free(mem_ctx
);
433 *is_untrusted
= false;
436 } else if (rid
== DOMAIN_RID_KRBTGT
) {
437 /* krbtgt viewed from an RODC */
438 talloc_free(mem_ctx
);
439 *is_untrusted
= false;
445 talloc_free(mem_ctx
);
446 *is_untrusted
= true;
451 NTSTATUS
samba_kdc_get_pac_blobs(TALLOC_CTX
*mem_ctx
,
452 struct samba_kdc_entry
*p
,
453 DATA_BLOB
**_logon_info_blob
,
454 DATA_BLOB
**_cred_ndr_blob
)
456 struct auth_user_info_dc
*user_info_dc
;
457 DATA_BLOB
*logon_blob
= NULL
;
458 DATA_BLOB
*cred_blob
= NULL
;
461 *_logon_info_blob
= NULL
;
462 if (_cred_ndr_blob
!= NULL
) {
463 *_cred_ndr_blob
= NULL
;
466 /* The user account may be set not to want the PAC */
467 if ( ! samba_princ_needs_pac(p
)) {
471 logon_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
472 if (logon_blob
== NULL
) {
473 return NT_STATUS_NO_MEMORY
;
476 if (_cred_ndr_blob
!= NULL
) {
477 cred_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
478 if (cred_blob
== NULL
) {
479 return NT_STATUS_NO_MEMORY
;
483 nt_status
= authsam_make_user_info_dc(mem_ctx
, p
->kdc_db_ctx
->samdb
,
484 lpcfg_netbios_name(p
->kdc_db_ctx
->lp_ctx
),
485 lpcfg_sam_name(p
->kdc_db_ctx
->lp_ctx
),
486 lpcfg_sam_dnsname(p
->kdc_db_ctx
->lp_ctx
),
492 if (!NT_STATUS_IS_OK(nt_status
)) {
493 DEBUG(0, ("Getting user info for PAC failed: %s\n",
494 nt_errstr(nt_status
)));
498 nt_status
= samba_get_logon_info_pac_blob(logon_blob
,
501 if (!NT_STATUS_IS_OK(nt_status
)) {
502 DEBUG(0, ("Building PAC LOGON INFO failed: %s\n",
503 nt_errstr(nt_status
)));
507 if (cred_blob
!= NULL
) {
508 nt_status
= samba_get_cred_info_ndr_blob(cred_blob
,
511 if (!NT_STATUS_IS_OK(nt_status
)) {
512 DEBUG(0, ("Building PAC CRED INFO failed: %s\n",
513 nt_errstr(nt_status
)));
518 TALLOC_FREE(user_info_dc
);
519 *_logon_info_blob
= logon_blob
;
520 if (_cred_ndr_blob
!= NULL
) {
521 *_cred_ndr_blob
= cred_blob
;
526 NTSTATUS
samba_kdc_get_pac_blob(TALLOC_CTX
*mem_ctx
,
527 struct samba_kdc_entry
*p
,
528 DATA_BLOB
**_logon_info_blob
)
532 nt_status
= samba_kdc_get_pac_blobs(mem_ctx
, p
,
535 if (!NT_STATUS_IS_OK(nt_status
)) {
542 NTSTATUS
samba_kdc_update_pac_blob(TALLOC_CTX
*mem_ctx
,
543 krb5_context context
,
544 const krb5_pac pac
, DATA_BLOB
*pac_blob
,
545 struct PAC_SIGNATURE_DATA
*pac_srv_sig
,
546 struct PAC_SIGNATURE_DATA
*pac_kdc_sig
)
548 struct auth_user_info_dc
*user_info_dc
;
552 ret
= kerberos_pac_to_user_info_dc(mem_ctx
, pac
,
553 context
, &user_info_dc
, pac_srv_sig
, pac_kdc_sig
);
555 return NT_STATUS_UNSUCCESSFUL
;
558 nt_status
= samba_get_logon_info_pac_blob(mem_ctx
,
559 user_info_dc
, pac_blob
);
564 NTSTATUS
samba_kdc_update_delegation_info_blob(TALLOC_CTX
*mem_ctx
,
565 krb5_context context
,
567 const krb5_principal server_principal
,
568 const krb5_principal proxy_principal
,
575 enum ndr_err_code ndr_err
;
577 struct PAC_CONSTRAINED_DELEGATION _d
;
578 struct PAC_CONSTRAINED_DELEGATION
*d
= NULL
;
582 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
584 if (tmp_ctx
== NULL
) {
585 return NT_STATUS_NO_MEMORY
;
588 ret
= krb5_pac_get_buffer(context
, pac
, PAC_TYPE_CONSTRAINED_DELEGATION
, &old_data
);
590 ZERO_STRUCT(old_data
);
592 talloc_free(tmp_ctx
);
593 return NT_STATUS_UNSUCCESSFUL
;
596 old_blob
.length
= old_data
.length
;
597 old_blob
.data
= (uint8_t *)old_data
.data
;
600 if (old_blob
.length
> 0) {
601 ndr_err
= ndr_pull_union_blob(&old_blob
, mem_ctx
,
602 &info
, PAC_TYPE_CONSTRAINED_DELEGATION
,
603 (ndr_pull_flags_fn_t
)ndr_pull_PAC_INFO
);
604 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
605 kerberos_free_data_contents(context
, &old_data
);
606 nt_status
= ndr_map_error2ntstatus(ndr_err
);
607 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status
)));
608 talloc_free(tmp_ctx
);
613 info
.constrained_delegation
.info
= &_d
;
615 kerberos_free_data_contents(context
, &old_data
);
617 ret
= krb5_unparse_name(context
, server_principal
, &server
);
619 talloc_free(tmp_ctx
);
620 return NT_STATUS_INTERNAL_ERROR
;
623 ret
= krb5_unparse_name_flags(context
, proxy_principal
,
624 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &proxy
);
627 talloc_free(tmp_ctx
);
628 return NT_STATUS_INTERNAL_ERROR
;
631 d
= info
.constrained_delegation
.info
;
632 i
= d
->num_transited_services
;
633 d
->proxy_target
.string
= server
;
634 d
->transited_services
= talloc_realloc(mem_ctx
, d
->transited_services
,
635 struct lsa_String
, i
+ 1);
636 d
->transited_services
[i
].string
= proxy
;
637 d
->num_transited_services
= i
+ 1;
639 ndr_err
= ndr_push_union_blob(new_blob
, mem_ctx
,
640 &info
, PAC_TYPE_CONSTRAINED_DELEGATION
,
641 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
644 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
645 kerberos_free_data_contents(context
, &old_data
);
646 nt_status
= ndr_map_error2ntstatus(ndr_err
);
647 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status
)));
648 talloc_free(tmp_ctx
);
652 talloc_free(tmp_ctx
);
656 /* function to map policy errors */
657 krb5_error_code
samba_kdc_map_policy_err(NTSTATUS nt_status
)
661 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_MUST_CHANGE
))
662 ret
= KRB5KDC_ERR_KEY_EXP
;
663 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_EXPIRED
))
664 ret
= KRB5KDC_ERR_KEY_EXP
;
665 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_EXPIRED
))
666 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
667 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_DISABLED
))
668 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
669 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_LOGON_HOURS
))
670 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
671 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_LOCKED_OUT
))
672 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
673 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_WORKSTATION
))
674 ret
= KRB5KDC_ERR_POLICY
;
676 ret
= KRB5KDC_ERR_POLICY
;
681 /* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c
683 NTSTATUS
samba_kdc_check_client_access(struct samba_kdc_entry
*kdc_entry
,
684 const char *client_name
,
685 const char *workstation
,
686 bool password_change
)
691 tmp_ctx
= talloc_named(NULL
, 0, "samba_kdc_check_client_access");
693 return NT_STATUS_NO_MEMORY
;
696 /* we allow all kinds of trusts here */
697 nt_status
= authsam_account_ok(tmp_ctx
,
698 kdc_entry
->kdc_db_ctx
->samdb
,
699 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
|
700 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
,
701 kdc_entry
->realm_dn
, kdc_entry
->msg
,
702 workstation
, client_name
,
703 true, password_change
);
705 talloc_free(tmp_ctx
);