s4:kdc: pass pac_princ to samba_kdc_entry_pac_from_trusted()

For mit_samba_update_pac() we can only pass it optionally.
This should be fixed in future, but it requires changes
in MIT Kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index b045b6669e36206d10434b8801e76679efede246..fafa2b10e1598b259320a9b9ac7a07db7836773c 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -514,6 +514,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
        TALLOC_CTX *tmp_ctx = NULL;
        krb5_error_code code;
        struct samba_kdc_entry *client_skdc_entry = NULL;
+       krb5_const_principal client_principal = NULL;
        struct samba_kdc_entry *server_skdc_entry = NULL;
        struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
        struct samba_kdc_entry_pac client_pac_entry = {};
@@ -527,10 +528,18 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
                return ENOMEM;
        }
 
+       /*
+        * TODO: pass client_principal from the caller
+        *
+        * While krb5_db_entry for 'client' is optional,
+        * the caller should pass client_principal,
+        * for cross realm clients.
+        */
        if (client != NULL) {
                client_skdc_entry =
                        talloc_get_type_abort(client->e_data,
                                              struct samba_kdc_entry);
+               client_principal = client->princ;
        }
 
        if (krbtgt == NULL) {
@@ -577,6 +586,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
        }
 
        client_pac_entry = samba_kdc_entry_pac_from_trusted(old_pac,
+                                                           client_principal,
                                                            client_skdc_entry,
                                                            krbtgt_skdc_entry,
                                                            is_trusted);
@@ -797,6 +807,7 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
        }
 
        client_pac_entry = samba_kdc_entry_pac_from_trusted(header_pac,
+                                                           client_principal,
                                                            NULL, /* client_skdc_entry */
                                                            krbtgt_sentry.skdc_entry,
                                                            true); /* is_trusted */

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 6eec1fc86d1e4be500558f22643f79f34180fa66..4937c26b019f52e994a6a35c557d2d41112fad56 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -891,6 +891,7 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
 }
 #else /* MIT */
 struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+                                                           krb5_const_principal pac_princ,
                                                            struct samba_kdc_entry *entry,
                                                            const struct samba_kdc_entry *krbtgt,
                                                            bool is_trusted)

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 44ba85a4ee292437f1f84967c45a0d1c9a37386d..e9a67d8f6e60ffa17d0075825e48c91790d8bb87 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -61,6 +61,7 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
                                               const struct samba_kdc_entry *krbtgt_entry);
 #else /* MIT */
 struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+                                                           krb5_const_principal pac_princ,
                                                            struct samba_kdc_entry *entry,
                                                            const struct samba_kdc_entry *krbtgt_entry,
                                                            bool is_trusted);