From: Stefan Metzmacher Date: Thu, 13 Mar 2025 00:50:23 +0000 (+0100) Subject: s4:kdc: only use compound authentication with an explicit FAST armor X-Git-Tag: tevent-0.17.0~385 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=08bf34c7212426a568825e13714b51b20f884271;p=thirdparty%2Fsamba.git s4:kdc: only use compound authentication with an explicit FAST armor Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 597fd8f7c99..6b80b0461f6 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -2884,6 +2884,10 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, compounded_auth = server->supported_enctypes & KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED; + if (!(flags & SAMBA_KDC_FLAG_EXPLICIT_ARMOR_PRESENT)) { + compounded_auth = false; + } + if (need_access_check || compounded_auth) { need_device = true; } diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 6acaf8e9f3c..a38dc26237f 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -44,6 +44,7 @@ enum { SAMBA_KDC_FLAG_PROTOCOL_TRANSITION = 0x00000001, SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002, SAMBA_KDC_FLAG_PKINIT_FRESHNESS_USED = 0x00000004, + SAMBA_KDC_FLAG_EXPLICIT_ARMOR_PRESENT = 0x00000008, }; struct samba_kdc_entry_pac { diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index c6ac2c739cb..0741c0878af 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -354,6 +354,10 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, client_skdc_entry, krbtgt_skdc_entry); + if (kdc_request_get_explicit_armor_present(r)) { + flags |= SAMBA_KDC_FLAG_EXPLICIT_ARMOR_PRESENT; + } + ret = samba_kdc_update_pac(mem_ctx, context, krbtgt_skdc_entry->kdc_db_ctx,