s4:kdc: Add PAC_ATTRIBUTES integration for Heimdal

author Joseph Sutton <josephsutton@catalyst.net.nz>

Wed, 22 Dec 2021 04:08:43 +0000 (17:08 +1300)

committer Joseph Sutton <jsutton@samba.org>

Wed, 19 Jan 2022 20:50:35 +0000 (20:50 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Wed, 22 Dec 2021 04:08:43 +0000 (17:08 +1300)
committer Joseph Sutton <jsutton@samba.org>
Wed, 19 Jan 2022 20:50:35 +0000 (20:50 +0000)
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c

index 2beccfa36789c717f71088fe2ca9a4b24582eccb..27b1582846855d87e9f0947486c67a1f49d7b1b4 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -476,7 +476,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                                             cred_ndr_ptr,
                                             &upn_dns_info_blob,
                                             is_krbtgt ? &pac_attrs_blob : NULL,
-                                           NULL,
+                                           PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
                                             is_krbtgt ? &requester_sid_blob : NULL,
                                             NULL);
         if (!NT_STATUS_IS_OK(nt_status)) {
@@ -611,7 +611,8 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
                                                     &pac_blob,
                                                     NULL,
                                                     &upn_blob,
-                                                   NULL, NULL,
+                                                   NULL,
+                                                   0,
                                                     NULL,
                                                     NULL);
                 if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c

index 10831671faca7521ad77bcc70f2edb709d279864..eac1612ca2b3caac7b15ce53119483101c8ff5c7 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -153,7 +153,7 @@ NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx,
  
  static
  NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
-                                 const krb5_boolean *pac_request,
+                                 uint64_t pac_attributes,
                                   DATA_BLOB *pac_attrs_data)
  {
         union PAC_INFO pac_attrs;
@@ -166,14 +166,7 @@ NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
  
         /* Set the length of the flags in bits. */
         pac_attrs.attributes_info.flags_length = 2;
-
-       if (pac_request == NULL) {
-               pac_attrs.attributes_info.flags
-                       |= PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY;
-       } else if (*pac_request) {
-               pac_attrs.attributes_info.flags
-                       |= PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED;
-       }
+       pac_attrs.attributes_info.flags = pac_attributes;
  
         ndr_err = ndr_push_union_blob(pac_attrs_data, mem_ctx, &pac_attrs,
                                       PAC_TYPE_ATTRIBUTES_INFO,
@@ -839,7 +832,7 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                  DATA_BLOB **_cred_ndr_blob,
                                  DATA_BLOB **_upn_info_blob,
                                  DATA_BLOB **_pac_attrs_blob,
-                                const krb5_boolean *pac_request,
+                                uint64_t pac_attributes,
                                  DATA_BLOB **_requester_sid_blob,
                                  struct auth_user_info_dc **_user_info_dc)
  {
@@ -941,7 +934,7 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
  
         if (pac_attrs_blob != NULL) {
                 nt_status = samba_get_pac_attrs_blob(pac_attrs_blob,
-                                                    pac_request,
+                                                    pac_attributes,
                                                      pac_attrs_blob);
  
                 if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h

index d3395038a55a28af9909e26bab162026fcfb12bb..c57928473a1bfdaefd18507fd28993b6af945bae 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -53,7 +53,7 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                  DATA_BLOB **_cred_ndr_blob,
                                  DATA_BLOB **_upn_info_blob,
                                  DATA_BLOB **_pac_attrs_blob,
-                                const krb5_boolean *pac_request,
+                                uint64_t pac_attributes,
                                  DATA_BLOB **_requester_sid_blob,
                                  struct auth_user_info_dc **_user_info_dc);
  NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c

index 6a5565d511e636940a862cbdd1e67e724da84221..1f1b9482a278b1612f8fe7f103d44be7338ce752 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -39,7 +39,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
                                          struct hdb_entry_ex *client,
                                          struct hdb_entry_ex *server,
                                          const krb5_keyblock *pk_reply_key,
-                                        const krb5_boolean *pac_request,
+                                        uint64_t pac_attributes,
                                          krb5_pac *pac)
  {
         TALLOC_CTX *mem_ctx;
@@ -74,7 +74,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
                                             cred_ndr_ptr,
                                             &upn_blob,
                                             is_krbtgt ? &pac_attrs_blob : NULL,
-                                           pac_request,
+                                           pac_attributes,
                                             is_krbtgt ? &requester_sid_blob : NULL,
                                             NULL);
         if (!NT_STATUS_IS_OK(nt_status)) {
@@ -265,7 +265,8 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
  
                 nt_status = samba_kdc_get_pac_blobs(mem_ctx, client_skdc_entry,
                                                     &pac_blob, NULL, &upn_blob,
-                                                   NULL, NULL, &requester_sid_blob,
+                                                   NULL, PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
+                                                   &requester_sid_blob,
                                                     &user_info_dc);
                 if (!NT_STATUS_IS_OK(nt_status)) {
                         talloc_free(mem_ctx);
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Wed, 22 Dec 2021 04:08:43 +0000 (17:08 +1300)
committer	Joseph Sutton <jsutton@samba.org>
	Wed, 19 Jan 2022 20:50:35 +0000 (20:50 +0000)
source4/kdc/mit_samba.c		patch \| blob \| blame \| history
source4/kdc/pac-glue.c		patch \| blob \| blame \| history
source4/kdc/pac-glue.h		patch \| blob \| blame \| history
source4/kdc/wdc-samba4.c		patch \| blob \| blame \| history