s4:kdc: pass client_claims, device_info, device_claims into samba_make_krb5_pac()

This allows us to add claims blobs to the PAC once we have the ability
to create them.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index a3d28d71d564ab1be419643a788050873ab89089..9ebc773137ac35140a8644c5167514ba00f5b25c 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -535,6 +535,9 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                                   pac_attrs_blob,
                                   requester_sid_blob,
                                   NULL,
+                                  NULL,
+                                  NULL,
+                                  NULL,
                                   *pac);
 
        talloc_free(tmp_ctx);

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index e77d163c075a5de96dcf14f6780fbd7128c6ddf9..95d86638836aaa01d5b224718709ad9a2f5d1d55 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -503,6 +503,15 @@ krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
  * @param[in] deleg_blob Fill the delegation info PAC buffer with the given
  *                       blob, use NULL to ignore it.
  *
+ * @param[in] client_claims_blob Fill the client claims info PAC buffer with the
+ *                               given blob, use NULL to ignore it.
+ *
+ * @param[in] device_info_blob Fill the device info PAC buffer with the given
+ *                             blob, use NULL to ignore it.
+ *
+ * @param[in] device_claims_blob Fill the device claims info PAC buffer with the given
+ *                               blob, use NULL to ignore it.
+ *
  * @param[in] pac        The pac buffer to fill. This should be allocated with
  *                       krb5_pac_init() already.
  *
@@ -515,6 +524,9 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
                                    const DATA_BLOB *pac_attrs_blob,
                                    const DATA_BLOB *requester_sid_blob,
                                    const DATA_BLOB *deleg_blob,
+                                   const DATA_BLOB *client_claims_blob,
+                                   const DATA_BLOB *device_info_blob,
+                                   const DATA_BLOB *device_claims_blob,
                                    krb5_pac pac)
 {
        krb5_data logon_data;
@@ -535,6 +547,36 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
                return ret;
        }
 
+       if (device_info_blob != NULL) {
+               krb5_data device_info_data = smb_krb5_data_from_blob(*device_info_blob);
+               ret = krb5_pac_add_buffer(context, pac,
+                                         PAC_TYPE_DEVICE_INFO,
+                                         &device_info_data);
+               if (ret != 0) {
+                       return ret;
+               }
+       }
+
+       if (client_claims_blob != NULL) {
+               krb5_data client_claims_data = smb_krb5_data_from_blob(*client_claims_blob);
+               ret = krb5_pac_add_buffer(context, pac,
+                                         PAC_TYPE_CLIENT_CLAIMS_INFO,
+                                         &client_claims_data);
+               if (ret != 0) {
+                       return ret;
+               }
+       }
+
+       if (device_claims_blob != NULL) {
+               krb5_data device_claims_data = smb_krb5_data_from_blob(*device_claims_blob);
+               ret = krb5_pac_add_buffer(context, pac,
+                                         PAC_TYPE_DEVICE_CLAIMS_INFO,
+                                         &device_claims_data);
+               if (ret != 0) {
+                       return ret;
+               }
+       }
+
        if (cred_blob != NULL) {
                krb5_data cred_data = smb_krb5_data_from_blob(*cred_blob);
                ret = krb5_pac_add_buffer(context, pac,

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 7b7c489d30d128240ac6e06bdc9829598c10082f..8cd0a99da80ae9ef76295990b2b90a55c290a7d4 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -48,6 +48,9 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
                                    const DATA_BLOB *pac_attrs_blob,
                                    const DATA_BLOB *requester_sid_blob,
                                    const DATA_BLOB *deleg_blob,
+                                   const DATA_BLOB *client_claims_blob,
+                                   const DATA_BLOB *device_info_blob,
+                                   const DATA_BLOB *device_claims_blob,
                                    krb5_pac pac);
 
 bool samba_princ_needs_pac(struct samba_kdc_entry *skdc_entry);

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 2c9b81e0addfd76250a9c5e7ba01f464c7779453..eca0a4c5155a713164f4871bc6380c390461500f 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -161,7 +161,9 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 
        ret = samba_make_krb5_pac(context, logon_blob, cred_blob,
                                  upn_blob, pac_attrs_blob,
-                                 requester_sid_blob, NULL, *pac);
+                                 requester_sid_blob, NULL,
+                                 NULL, NULL, NULL,
+                                 *pac);
 
        talloc_free(mem_ctx);
        return ret;