]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e6506c2)
s4:kdc: only use compound authentication with an explicit FAST armor
authorStefan Metzmacher <metze@samba.org>
Thu, 13 Mar 2025 00:50:23 +0000 (01:50 +0100)
committerRalph Boehme <slow@samba.org>
Thu, 3 Apr 2025 09:36:31 +0000 (09:36 +0000)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
source4/kdc/pac-glue.c patch | blob | blame | history
source4/kdc/pac-glue.h patch | blob | blame | history
source4/kdc/wdc-samba4.c patch | blob | blame | history

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 597fd8f7c997f382954e5f578f8afffe0b0fb340..6b80b0461f6afce4ed23c097fd3bcb965a0cdd3d 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2884,6 +2884,10 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                        compounded_auth = server->supported_enctypes &
                                KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED;
 
+                       if (!(flags & SAMBA_KDC_FLAG_EXPLICIT_ARMOR_PRESENT)) {
+                               compounded_auth = false;
+                       }
+
                        if (need_access_check || compounded_auth) {
                                need_device = true;
                        }
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 6acaf8e9f3cf06172734df15c59c57ac5941f98a..a38dc26237fbeb8a92d6cb8900fcfbca97d2a392 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -44,6 +44,7 @@ enum {
        SAMBA_KDC_FLAG_PROTOCOL_TRANSITION    = 0x00000001,
        SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002,
        SAMBA_KDC_FLAG_PKINIT_FRESHNESS_USED  = 0x00000004,
+       SAMBA_KDC_FLAG_EXPLICIT_ARMOR_PRESENT = 0x00000008,
 };
 
 struct samba_kdc_entry_pac {
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index c6ac2c739cb939e782fcc1ce92e1767c79c72218..0741c0878afd39bffb4939028a0d13aaf9645b30 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -354,6 +354,10 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
                                               client_skdc_entry,
                                               krbtgt_skdc_entry);
 
+       if (kdc_request_get_explicit_armor_present(r)) {
+               flags |= SAMBA_KDC_FLAG_EXPLICIT_ARMOR_PRESENT;
+       }
+
        ret = samba_kdc_update_pac(mem_ctx,
                                   context,
                                   krbtgt_skdc_entry->kdc_db_ctx,
Mirror of https://github.com/samba-team/samba.git