return ret;
}
-static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx,
- struct ldb_context *samdb,
- const union PAC_INFO *logon_info,
- struct PAC_DEVICE_INFO *device_info)
-{
- NTSTATUS nt_status;
- struct auth_user_info_dc *device_info_dc = NULL;
- union netr_Validation validation;
- uint32_t i;
- uint32_t num_existing_sids;
-
- /*
- * This does a bit of unnecessary work, setting up fields we don't care
- * about -- we only want the SIDs.
- */
- validation.sam3 = &logon_info->logon_info.info->info3;
- nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
- true, /* This user was authenticated */
- &device_info_dc);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return map_errno_from_nt_status(nt_status);
- }
-
- num_existing_sids = device_info_dc->num_sids;
-
- /*
- * We need to expand group memberships within our local domain,
- * as the token might be generated by a trusted domain.
- */
- nt_status = authsam_update_user_info_dc(mem_ctx,
- samdb,
- device_info_dc);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return map_errno_from_nt_status(nt_status);
- }
-
- for (i = num_existing_sids; i < device_info_dc->num_sids; ++i) {
- struct auth_SidAttr *device_sid = &device_info_dc->sids[i];
- const struct netr_SidAttr sid = (struct netr_SidAttr) {
- .sid = &device_sid->sid,
- .attributes = device_sid->attrs,
- };
-
- krb5_error_code ret = samba_kdc_add_domain_group_sid(device_info, &sid);
- if (ret != 0) {
- return ret;
- }
- }
-
- return 0;
-}
-
static krb5_error_code samba_kdc_get_device_info_pac_blob(TALLOC_CTX *mem_ctx,
union PAC_INFO *info,
DATA_BLOB **_device_info_blob)
return 0;
}
-static krb5_error_code samba_kdc_create_device_info_blob(TALLOC_CTX *mem_ctx,
- krb5_context context,
- struct ldb_context *samdb,
- const krb5_const_pac device_pac,
- DATA_BLOB **device_info_blob)
-{
- TALLOC_CTX *frame = NULL;
- krb5_data device_logon_info;
- krb5_error_code code = EINVAL;
- NTSTATUS nt_status;
-
- union PAC_INFO info;
- enum ndr_err_code ndr_err;
- DATA_BLOB device_logon_info_blob;
-
- union PAC_INFO logon_info;
-
- code = krb5_pac_get_buffer(context, device_pac,
- PAC_TYPE_LOGON_INFO,
- &device_logon_info);
- if (code != 0) {
- if (code == ENOENT) {
- DBG_ERR("Device PAC is missing LOGON_INFO\n");
- } else {
- DBG_ERR("Error getting LOGON_INFO from device PAC\n");
- }
- return code;
- }
-
- frame = talloc_stackframe();
-
- device_logon_info_blob = data_blob_const(device_logon_info.data,
- device_logon_info.length);
-
- ndr_err = ndr_pull_union_blob(&device_logon_info_blob, frame, &logon_info,
- PAC_TYPE_LOGON_INFO,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
- smb_krb5_free_data_contents(context, &device_logon_info);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- nt_status = ndr_map_error2ntstatus(ndr_err);
- DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
- nt_errstr(nt_status));
- talloc_free(frame);
- return map_errno_from_nt_status(nt_status);
- }
-
- /*
- * When creating the device info structure, existing resource groups are
- * discarded.
- */
- code = samba_kdc_make_device_info(frame,
- &logon_info.logon_info.info->info3,
- NULL, /* resource_groups */
- &info);
- if (code != 0) {
- talloc_free(frame);
- return code;
- }
-
- code = samba_kdc_update_device_info(frame,
- samdb,
- &logon_info,
- info.device_info.info);
- if (code != 0) {
- talloc_free(frame);
- return code;
- }
-
- code = samba_kdc_get_device_info_pac_blob(mem_ctx,
- &info,
- device_info_blob);
-
- talloc_free(frame);
- return code;
-}
-
static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
krb5_context context,
struct ldb_context *samdb,
device_claims_blob_ptr = &device_claims_blob;
- if (samba_krb5_pac_is_trusted(device)) {
- code = samba_kdc_create_device_info_blob(tmp_ctx,
- context,
- samdb,
- device.pac,
- &device_info_blob);
- if (code != 0) {
- goto done;
- }
- } else {
- /* Don't trust an RODC‐issued PAC; regenerate the device info. */
- code = samba_kdc_get_device_info_blob(tmp_ctx,
- context,
- samdb,
- device,
- &device_info_blob);
- if (code != 0) {
- goto done;
- }
+ code = samba_kdc_get_device_info_blob(tmp_ctx,
+ context,
+ samdb,
+ device,
+ &device_info_blob);
+ if (code != 0) {
+ goto done;
}
}
}
projects / thirdparty / samba.git / commitdiff
