s4:kdc: pass pac_princ to samba_kdc_entry_pac()

author Stefan Metzmacher <metze@samba.org>

Thu, 13 Mar 2025 00:40:18 +0000 (01:40 +0100)

committer Ralph Boehme <slow@samba.org>

Thu, 3 Apr 2025 09:36:31 +0000 (09:36 +0000)
author Stefan Metzmacher <metze@samba.org>
Thu, 13 Mar 2025 00:40:18 +0000 (01:40 +0100)
committer Ralph Boehme <slow@samba.org>
Thu, 3 Apr 2025 09:36:31 +0000 (09:36 +0000)
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c

index 01450148a1c65ff31ac0466066ec5e7943f523c6..4afae40893b83fc342d01f14a9886fad247b4a94 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -354,6 +354,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
         }
  
         client_pac_entry = samba_kdc_entry_pac(header_pac,
+                                              client_principal,
                                                client_skdc_entry,
                                                client_krbtgt_skdc_entry);
  
@@ -380,6 +381,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
                 }
  
                 device_pac_entry = samba_kdc_entry_pac(device_pac,
+                                                      device_principal,
                                                        device_skdc_entry,
                                                        device_krbtgt_skdc_entry);
         }
diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c

index 43764557e46cc424bba313ee1aec4a3ede2d2350..6dbf21edefdc26298fee1609ebb20931bcad7b59 100644 (file)
--- a/source4/kdc/kdc-glue.c
+++ b/source4/kdc/kdc-glue.c
@@ -69,6 +69,7 @@ int kdc_check_pac(krb5_context context,
  
  struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
  {
+       krb5_const_principal device_principal = kdc_request_get_armor_client_principal(r);
         const hdb_entry *device = kdc_request_get_armor_client(r);
         struct samba_kdc_entry *device_skdc_entry = NULL;
         const hdb_entry *device_krbtgt = kdc_request_get_armor_server(r);
@@ -76,7 +77,7 @@ struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
         const krb5_const_pac device_pac = kdc_request_get_armor_pac(r);
  
         if (device_pac == NULL) {
-               return samba_kdc_entry_pac(NULL, NULL, NULL);
+               return samba_kdc_entry_pac(NULL, NULL, NULL, NULL);
         }
  
         /*
@@ -98,6 +99,7 @@ struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
         }
  
         return samba_kdc_entry_pac(device_pac,
+                                  device_principal,
                                    device_skdc_entry,
                                    device_krbtgt_skdc_entry);
  }
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c

index 4937c26b019f52e994a6a35c557d2d41112fad56..8a7c0b41c46636d39655482c5a257f0a945df7cf 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -876,6 +876,7 @@ static bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac)
  
  #ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
  struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+                                              krb5_const_principal pac_princ,
                                                struct samba_kdc_entry *entry,
                                                const struct samba_kdc_entry *krbtgt)
  {
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h

index e9a67d8f6e60ffa17d0075825e48c91790d8bb87..114dff3756e4f87dda64c556c12db06c67e98cd5 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -57,6 +57,7 @@ struct samba_kdc_entry_pac {
  
  #ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
  struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+                                              krb5_const_principal pac_princ,
                                                struct samba_kdc_entry *entry,
                                                const struct samba_kdc_entry *krbtgt_entry);
  #else /* MIT */
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c

index 0afe8b2537b1b8af044c7126b6896fa50f914f57..7d2e421097c2aa4682df97db44196d78fff5872d 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -155,6 +155,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
  }
  
  static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
+                                            krb5_const_principal client_principal,
                                              const hdb_entry *delegated_proxy,
                                              const hdb_entry *client,
                                              const hdb_entry *krbtgt,
@@ -203,6 +204,7 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
  
         krb5_pac_set_trusted(pac, is_trusted);
         client_pac_entry = samba_kdc_entry_pac(pac,
+                                              client_principal,
                                                client_skdc_entry,
                                                krbtgt_skdc_entry);
  
@@ -275,7 +277,7 @@ out:
  /* Re-sign (and reform, including possibly new groups) a PAC */
  
  static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
-                                          krb5_const_principal _client_principal,
+                                          krb5_const_principal client_principal,
                                            hdb_entry *delegated_proxy,
                                            krb5_const_pac delegated_proxy_pac,
                                            hdb_entry *client,
@@ -330,6 +332,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
         }
  
         delegated_proxy_pac_entry = samba_kdc_entry_pac(delegated_proxy_pac,
+                                                       delegated_proxy_principal,
                                                         delegated_proxy_skdc_entry,
                                                         delegated_proxy_krbtgt_entry);
  
@@ -347,6 +350,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
         }
  
         client_pac_entry = samba_kdc_entry_pac(*pac,
+                                              client_principal,
                                                client_skdc_entry,
                                                krbtgt_skdc_entry);
  
@@ -401,7 +405,7 @@ out:
  /* Verify a PAC's SID and signatures */
  
  static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
-                                           krb5_const_principal _client_principal,
+                                           krb5_const_principal client_principal,
                                             hdb_entry *delegated_proxy,
                                             hdb_entry *client,
                                             hdb_entry *_server,
@@ -526,6 +530,7 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
         }
  
         ret = samba_wdc_verify_pac2(r,
+                                   client_principal,
                                     delegated_proxy,
                                     client,
                                     krbtgt,
author	Stefan Metzmacher <metze@samba.org>
	Thu, 13 Mar 2025 00:40:18 +0000 (01:40 +0100)
committer	Ralph Boehme <slow@samba.org>
	Thu, 3 Apr 2025 09:36:31 +0000 (09:36 +0000)
source4/kdc/hdb-samba4.c		patch \| blob \| blame \| history
source4/kdc/kdc-glue.c		patch \| blob \| blame \| history
source4/kdc/pac-glue.c		patch \| blob \| blame \| history
source4/kdc/pac-glue.h		patch \| blob \| blame \| history
source4/kdc/wdc-samba4.c		patch \| blob \| blame \| history