s4:kdc: Have samba_kdc_update_pac() take device parameters

author Joseph Sutton <josephsutton@catalyst.net.nz>

Thu, 16 Mar 2023 22:14:15 +0000 (11:14 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Wed, 22 Mar 2023 18:40:31 +0000 (18:40 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Thu, 16 Mar 2023 22:14:15 +0000 (11:14 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Wed, 22 Mar 2023 18:40:31 +0000 (18:40 +0000)
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c

index c3c07926ccada088adecc68e186d62875c35c805..4d7d60cb7652f513e10168e332e75e75231ebbbb 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -651,6 +651,8 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
                                     server_skdc_entry,
                                     krbtgt_skdc_entry,
                                     delegated_proxy_principal,
+                                   NULL, /* device */
+                                   NULL, /* device_pac */
                                     *pac,
                                     new_pac);
         if (code != 0) {
@@ -752,6 +754,8 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
                                     server_skdc_entry,
                                     krbtgt_skdc_entry,
                                     NULL, /* delegated_proxy_principal */
+                                   NULL, /* device */
+                                   NULL, /* device_pac */
                                     old_pac,
                                     new_pac);
         if (code != 0) {
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c

index 70c36c4b9533e565d1d4bbdf9062adbf1d385b77..80e72579cc16977d9567217676107a112d45549b 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1727,6 +1727,12 @@ WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
   *                                  updating the constrained delegation PAC
   *                                  buffer.
  
+ * @param device    The computer's samba kdc entry; used for compound
+ *                  authentication.
+
+ * @param device_pac        The PAC from the computer's TGT; used
+ *                          for compound authentication.
+
   * @param old_pac                   The old PAC
  
   * @param new_pac                   The new already allocated PAC
@@ -1743,6 +1749,8 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                                      const struct samba_kdc_entry *server,
                                      const struct samba_kdc_entry *krbtgt,
                                      const krb5_principal delegated_proxy_principal,
+                                    const struct samba_kdc_entry *device,
+                                    const krb5_const_pac *device_pac,
                                      const krb5_pac old_pac,
                                      const krb5_pac new_pac)
  {
@@ -1811,6 +1819,31 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                 }
         }
  
+       if (device != NULL) {
+               SMB_ASSERT(*device_pac != NULL);
+
+               /*
+                * Check the objectSID of the device and pac data are the same.
+                * Does a parse and SID check, but no crypto.
+                */
+               code = samba_kdc_validate_pac_blob(context,
+                                                  device,
+                                                  *device_pac);
+               if (code != 0) {
+                       goto done;
+               }
+
+               /*
+                * TODO: When we support compound authentication, we will use
+                * the device PAC to generate PAC buffers for Device Info
+                * (containing the computer account's groups) and Device Claims
+                * (containing claims for the computer account), and insert them
+                * into the emitted PAC.
+                *
+                * See [MS-KILE 1.3.4], [MS-KILE 3.3.5.7.4].
+                */
+       }
+
         if (!is_trusted) {
                 struct auth_user_info_dc *user_info_dc = NULL;
                 WERROR werr;
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h

index c797a389c209d92da8585f22d10ee80573911959..5c83fba934c6744f90d0a4460ab0e734145922af 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -126,5 +126,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                                      const struct samba_kdc_entry *server,
                                      const struct samba_kdc_entry *krbtgt,
                                      krb5_principal delegated_proxy_principal,
+                                    const struct samba_kdc_entry *device,
+                                    const krb5_const_pac *device_pac,
                                      krb5_pac old_pac,
                                      krb5_pac new_pac);
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c

index 6fc4f81703483490d12ff9ccd8843b5da62712b0..eb88e52f0fbcc9949bf62e11c770450c5ac0245d 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -238,6 +238,7 @@ static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r,
         struct samba_kdc_entry *client_skdc_entry = NULL;
         struct samba_kdc_entry *server_skdc_entry =
                 talloc_get_type_abort(server->context, struct samba_kdc_entry);
+       struct samba_kdc_entry *device_skdc_entry = NULL;
         struct samba_kdc_entry *krbtgt_skdc_entry =
                 talloc_get_type_abort(krbtgt->context, struct samba_kdc_entry);
         TALLOC_CTX *mem_ctx = NULL;
@@ -265,22 +266,8 @@ static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r,
         }
  
         if (device != NULL) {
-               struct samba_kdc_entry *device_skdc_entry = NULL;
-
                 device_skdc_entry = talloc_get_type_abort(device->context,
                                                           struct samba_kdc_entry);
-
-               /*
-                * Check the objectSID of the device and pac data are the same.
-                * Does a parse and SID check, but no crypto.
-                */
-               ret = samba_kdc_validate_pac_blob(context,
-                                                 device_skdc_entry,
-                                                 *device_pac);
-               if (ret != 0) {
-                       talloc_free(mem_ctx);
-                       return ret;
-               }
         }
  
         /*
@@ -371,6 +358,8 @@ static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r,
                                    server_skdc_entry,
                                    krbtgt_skdc_entry,
                                    delegated_proxy_principal,
+                                  device_skdc_entry,
+                                  device_pac,
                                    *pac,
                                    new_pac);
         if (ret != 0) {
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Thu, 16 Mar 2023 22:14:15 +0000 (11:14 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Wed, 22 Mar 2023 18:40:31 +0000 (18:40 +0000)
source4/kdc/mit_samba.c		patch \| blob \| blame \| history
source4/kdc/pac-glue.c		patch \| blob \| blame \| history
source4/kdc/pac-glue.h		patch \| blob \| blame \| history
source4/kdc/wdc-samba4.c		patch \| blob \| blame \| history