s4:kdc: pass down SAMBA_KDC_FLAG_PROTOCOL_TRANSITION to samba_kdc_update_pac()

author Andreas Schneider <asn@samba.org>

Mon, 11 Oct 2021 12:47:25 +0000 (14:47 +0200)

committer Andreas Schneider <asn@cryptomilk.org>

Wed, 13 Apr 2022 12:59:30 +0000 (12:59 +0000)
author Andreas Schneider <asn@samba.org>
Mon, 11 Oct 2021 12:47:25 +0000 (14:47 +0200)
committer Andreas Schneider <asn@cryptomilk.org>
Wed, 13 Apr 2022 12:59:30 +0000 (12:59 +0000)
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c

index 85b002dd5fa2954ceb2b32b1728151dd35c0d2f2..d9271b8ffef92d49836d4ae97d6e7078b50e596a 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -609,6 +609,10 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
  
         }
  
+       if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+               flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
+       }
+
         if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
                 flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
                 delegated_proxy_principal = discard_const(client_principal);
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c

index a8993ce3950579c81916d25b70b1a9c745acf63e..7d9ac0b27e1407e64bac0ceb50cec8fdae1f751d 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -30,6 +30,53 @@
  #include "librpc/gen_ndr/auth.h"
  #include <krb5_locl.h>
  
+static bool samba_wdc_is_s4u2self_req(astgs_request_t r)
+{
+       krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r);
+       const KDC_REQ *req = kdc_request_get_req(r);
+       const PA_DATA *pa_for_user = NULL;
+
+       if (req->msg_type != krb_tgs_req) {
+               return false;
+       }
+
+       if (config->enable_fast && req->padata != NULL) {
+               const PA_DATA *pa_fx_fast = NULL;
+               int idx = 0;
+
+               pa_fx_fast = krb5_find_padata(req->padata->val,
+                                             req->padata->len,
+                                             KRB5_PADATA_FX_FAST,
+                                             &idx);
+               if (pa_fx_fast != NULL) {
+                       /*
+                        * We're in the outer request
+                        * with KRB5_PADATA_FX_FAST
+                        * if fast is enabled we'll
+                        * process the s4u2self
+                        * request only in the
+                        * inner request.
+                        */
+                       return false;
+               }
+       }
+
+       if (req->padata != NULL) {
+               int idx = 0;
+
+               pa_for_user = krb5_find_padata(req->padata->val,
+                                              req->padata->len,
+                                              KRB5_PADATA_FOR_USER,
+                                              &idx);
+       }
+
+       if (pa_for_user != NULL) {
+               return true;
+       }
+
+       return false;
+}
+
  /*
   * Given the right private pointer from hdb_samba4,
   * get a PAC from the attached ldb messages.
@@ -111,7 +158,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
         return ret;
  }
  
-static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
+static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r,
                                             const krb5_principal delegated_proxy_principal,
                                             hdb_entry *client,
                                             hdb_entry *server,
@@ -119,6 +166,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
                                             krb5_pac *pac,
                                             krb5_cksumtype ctype)
  {
+       krb5_context context = kdc_request_get_context((kdc_request_t)r);
         struct samba_kdc_entry *client_skdc_entry = NULL;
         struct samba_kdc_entry *server_skdc_entry =
                 talloc_get_type_abort(server->context, struct samba_kdc_entry);
@@ -127,6 +175,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
         TALLOC_CTX *mem_ctx = NULL;
         krb5_pac new_pac = NULL;
         krb5_error_code ret;
+       bool is_s4u2self = samba_wdc_is_s4u2self_req(r);
         bool is_in_db = false;
         bool is_untrusted = false;
         uint32_t flags = 0;
@@ -155,6 +204,10 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
                 goto out;
         }
  
+       if (is_s4u2self) {
+               flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
+       }
+
         if (delegated_proxy_principal != NULL) {
                 krb5_enctype etype;
                 Key *key = NULL;
@@ -358,7 +411,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
                 }
         }
  
-       ret = samba_wdc_reget_pac2(context,
+       ret = samba_wdc_reget_pac2(r,
                                    delegated_proxy_principal,
                                    client,
                                    server,
author	Andreas Schneider <asn@samba.org>
	Mon, 11 Oct 2021 12:47:25 +0000 (14:47 +0200)
committer	Andreas Schneider <asn@cryptomilk.org>
	Wed, 13 Apr 2022 12:59:30 +0000 (12:59 +0000)
source4/kdc/mit_samba.c		patch \| blob \| blame \| history
source4/kdc/wdc-samba4.c		patch \| blob \| blame \| history