s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()

This will be allocated by the KDC in MIT KRB5 1.20 and newer.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 748a5f6e30c4bbd80b2dd585171077faa0adbafc..3cc015aefb6dea25e2accd1e6bf6eb22dff41966 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -501,6 +501,12 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                pcred_blob = &cred_blob;
        }
 
+       code = krb5_pac_init(context, pac);
+       if (code != 0) {
+               talloc_free(tmp_ctx);
+               return code;
+       }
+
        code = samba_make_krb5_pac(context,
                                   logon_info_blob,
                                   pcred_blob,
@@ -508,7 +514,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                                   pac_attrs_blob,
                                   requester_sid_blob,
                                   NULL,
-                                  pac);
+                                  *pac);
 
        talloc_free(tmp_ctx);
        return code;

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 2a96a683cd9516fab7376d4bfa517094581b5156..4c91fe570819058f51d1310dead6d0b68c919dd2 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -478,6 +478,29 @@ krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
 #endif /* SAMBA4_USES_HEIMDAL */
 
 
+/**
+ * @brief Create a PAC with the given blobs (logon, credentials, upn and
+ * delegation).
+ *
+ * @param[in] context   The KRB5 context to use.
+ *
+ * @param[in] logon_blob Fill the logon info PAC buffer with the given blob,
+ *                       use NULL to ignore it.
+ *
+ * @param[in] cred_blob  Fill the credentials info PAC buffer with the given
+ *                       blob, use NULL to ignore it.
+ *
+ * @param[in] upn_blob  Fill the UPN info PAC buffer with the given blob, use
+ *                      NULL to ignore it.
+ *
+ * @param[in] deleg_blob Fill the delegation info PAC buffer with the given
+ *                       blob, use NULL to ignore it.
+ *
+ * @param[in] pac        The pac buffer to fill. This should be allocated with
+ *                       krb5_pac_init() already.
+ *
+ * @returns 0 on success or a corresponding KRB5 error.
+ */
 krb5_error_code samba_make_krb5_pac(krb5_context context,
                                    const DATA_BLOB *logon_blob,
                                    const DATA_BLOB *cred_blob,
@@ -485,7 +508,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
                                    const DATA_BLOB *pac_attrs_blob,
                                    const DATA_BLOB *requester_sid_blob,
                                    const DATA_BLOB *deleg_blob,
-                                   krb5_pac *pac)
+                                   krb5_pac pac)
 {
        krb5_data logon_data;
        krb5_data cred_data;
@@ -578,18 +601,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
                }
        }
 
-       ret = krb5_pac_init(context, pac);
-       if (ret != 0) {
-               smb_krb5_free_data_contents(context, &logon_data);
-               smb_krb5_free_data_contents(context, &cred_data);
-               smb_krb5_free_data_contents(context, &upn_data);
-               smb_krb5_free_data_contents(context, &pac_attrs_data);
-               smb_krb5_free_data_contents(context, &requester_sid_data);
-               smb_krb5_free_data_contents(context, &deleg_data);
-               return ret;
-       }
-
-       ret = krb5_pac_add_buffer(context, *pac, PAC_TYPE_LOGON_INFO, &logon_data);
+       ret = krb5_pac_add_buffer(context, pac, PAC_TYPE_LOGON_INFO, &logon_data);
        smb_krb5_free_data_contents(context, &logon_data);
        if (ret != 0) {
                smb_krb5_free_data_contents(context, &cred_data);
@@ -601,7 +613,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
        }
 
        if (cred_blob != NULL) {
-               ret = krb5_pac_add_buffer(context, *pac,
+               ret = krb5_pac_add_buffer(context, pac,
                                          PAC_TYPE_CREDENTIAL_INFO,
                                          &cred_data);
                smb_krb5_free_data_contents(context, &cred_data);
@@ -622,7 +634,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
         *
         * Not needed with MIT Kerberos - asn
         */
-       ret = krb5_pac_add_buffer(context, *pac,
+       ret = krb5_pac_add_buffer(context, pac,
                                  PAC_TYPE_LOGON_NAME,
                                  &null_data);
        if (ret != 0) {
@@ -635,7 +647,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
 #endif
 
        if (upn_blob != NULL) {
-               ret = krb5_pac_add_buffer(context, *pac,
+               ret = krb5_pac_add_buffer(context, pac,
                                          PAC_TYPE_UPN_DNS_INFO,
                                          &upn_data);
                smb_krb5_free_data_contents(context, &upn_data);
@@ -648,7 +660,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
        }
 
        if (pac_attrs_blob != NULL) {
-               ret = krb5_pac_add_buffer(context, *pac,
+               ret = krb5_pac_add_buffer(context, pac,
                                          PAC_TYPE_ATTRIBUTES_INFO,
                                          &pac_attrs_data);
                smb_krb5_free_data_contents(context, &pac_attrs_data);
@@ -660,7 +672,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
        }
 
        if (requester_sid_blob != NULL) {
-               ret = krb5_pac_add_buffer(context, *pac,
+               ret = krb5_pac_add_buffer(context, pac,
                                          PAC_TYPE_REQUESTER_SID,
                                          &requester_sid_data);
                smb_krb5_free_data_contents(context, &requester_sid_data);
@@ -671,7 +683,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
        }
 
        if (deleg_blob != NULL) {
-               ret = krb5_pac_add_buffer(context, *pac,
+               ret = krb5_pac_add_buffer(context, pac,
                                          PAC_TYPE_CONSTRAINED_DELEGATION,
                                          &deleg_data);
                smb_krb5_free_data_contents(context, &deleg_data);

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 266e000f9cdda39ff5701b60898915e15c69b00a..d3395038a55a28af9909e26bab162026fcfb12bb 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -34,7 +34,7 @@ krb5_error_code samba_make_krb5_pac(krb5_context context,
                                    const DATA_BLOB *pac_attrs_blob,
                                    const DATA_BLOB *requester_sid_blob,
                                    const DATA_BLOB *deleg_blob,
-                                   krb5_pac *pac);
+                                   krb5_pac pac);
 
 bool samba_princ_needs_pac(struct samba_kdc_entry *skdc_entry);
 

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index d7ce34fb3a917b5ef61bceb4ca9675444bd4cde9..a60eb17e9fe354a3e6b51568bb89682ce955d642 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -95,9 +95,15 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
                cred_blob = &_cred_blob;
        }
 
+       ret = krb5_pac_init(context, pac);
+       if (ret != 0) {
+               talloc_free(mem_ctx);
+               return ret;
+       }
+
        ret = samba_make_krb5_pac(context, logon_blob, cred_blob,
                                  upn_blob, pac_attrs_blob,
-                                 requester_sid_blob, NULL, pac);
+                                 requester_sid_blob, NULL, *pac);
 
        talloc_free(mem_ctx);
        return ret;