This simplifies and unifies the callers.
For the MIT kdc we avoid using via kerberos_pac_to_user_info_dc()
directly.
Now both go via samba_kdc_get_user_info_dc() and MIT also
handles the samba_kdc_get_claims_data() path.
For the MIT kdc it means kerberos_pac_to_user_info_dc() is now
called via samba_kdc_get_user_info_dc() ->
samba_kdc_get_user_info_from_pac() and it is followed by
authsam_update_user_info_dc() consistently.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
struct samba_kdc_entry *client_skdc_entry = NULL;
const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL;
struct samba_kdc_entry *proxy_skdc_entry = NULL;
- const struct auth_user_info_dc *client_info = NULL;
- const struct auth_user_info_dc *device_info = NULL;
struct samba_kdc_entry_pac client_pac_entry = {};
- struct auth_claims auth_claims = {};
+ struct samba_kdc_entry_pac device_pac_entry = {};
TALLOC_CTX *mem_ctx = NULL;
krb5_error_code code;
client_skdc_entry,
client_krbtgt_skdc_entry);
- code = samba_kdc_get_user_info_dc(mem_ctx,
- context,
- kdc_db_ctx,
- client_pac_entry,
- &client_info,
- NULL /* resource_groups_out */);
- if (code != 0) {
- goto out;
- }
-
- code = samba_kdc_get_claims_data(mem_ctx,
- context,
- kdc_db_ctx,
- client_pac_entry,
- &auth_claims.user_claims);
- if (code) {
- goto out;
- }
-
if (device != NULL) {
struct samba_kdc_entry *device_skdc_entry = NULL;
const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
- struct samba_kdc_entry_pac device_pac_entry = {};
device_skdc_entry = talloc_get_type_abort(device->context,
struct samba_kdc_entry);
device_pac_entry = samba_kdc_entry_pac(device_pac,
device_skdc_entry,
device_krbtgt_skdc_entry);
-
- code = samba_kdc_get_user_info_dc(mem_ctx,
- context,
- kdc_db_ctx,
- device_pac_entry,
- &device_info,
- NULL /* resource_groups_out */);
- if (code) {
- goto out;
- }
-
- code = samba_kdc_get_claims_data(mem_ctx,
- context,
- kdc_db_ctx,
- device_pac_entry,
- &auth_claims.device_claims);
- if (code) {
- goto out;
- }
}
code = samba_kdc_check_s4u2proxy_rbcd(context,
kdc_db_ctx,
client->principal,
server_principal,
- client_info,
- device_info,
- auth_claims,
+ client_pac_entry,
+ device_pac_entry,
proxy_skdc_entry);
-out:
+
talloc_free(mem_ctx);
return code;
}
{
struct samba_kdc_entry *proxy_skdc_entry =
talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
- struct auth_user_info_dc *user_info_dc = NULL;
- TALLOC_CTX *mem_ctx = NULL;
+ struct samba_kdc_entry_pac client_pac_entry = {};
krb5_error_code code;
/* This sets the time into the DSDB opaque */
*ctx->db_ctx->current_nttime_ull = proxy_skdc_entry->current_nttime;
- mem_ctx = talloc_new(NULL);
- if (mem_ctx == NULL) {
- return ENOMEM;
- }
-
/*
* FIXME: If ever we support RODCs, we must check that the PAC has not
* been issued by an RODC (other than ourselves) — otherwise the PAC
* cannot be trusted. Because the plugin interface does not give us the
* client entry, we cannot look up its groups in the database.
+ *
+ * We would have to call
+ * code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
+ * &is_in_db,
+ * &is_trusted);
+ *
+ * But we don't have krbtgt_skdc_entry nor client_skdc_entry here,
+ * only a pac, which we need to trust without additional information.
+ *
+ * We also don't know if the pac comes from a trusted domain...
*/
- code = kerberos_pac_to_user_info_dc(mem_ctx,
- header_pac,
- ctx->context,
- &user_info_dc,
- AUTH_INCLUDE_RESOURCE_GROUPS,
- NULL,
- NULL,
- NULL);
- if (code != 0) {
- goto out;
- }
+
+ client_pac_entry = samba_kdc_entry_pac_from_trusted(header_pac,
+ NULL, /* client_skdc_entry */
+ NULL, /* krbtgt_skdc_entry */
+ true); /* is_trusted */
code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
ctx->db_ctx,
client_principal,
server_principal,
- user_info_dc,
- NULL /* device_info_dc */,
- (struct auth_claims) {},
+ client_pac_entry,
+ (struct samba_kdc_entry_pac) {} /* device */,
proxy_skdc_entry);
-out:
- talloc_free(mem_ctx);
+
return code;
}
struct samba_kdc_db_context *kdc_db_ctx,
krb5_const_principal client_principal,
krb5_const_principal server_principal,
- const struct auth_user_info_dc *user_info_dc,
- const struct auth_user_info_dc *device_info_dc,
- const struct auth_claims auth_claims,
+ struct samba_kdc_entry_pac client,
+ struct samba_kdc_entry_pac device,
struct samba_kdc_entry *proxy_skdc_entry)
{
krb5_error_code code;
char *server_name = NULL;
const char *proxy_dn = NULL;
const DATA_BLOB *data = NULL;
+ const struct auth_user_info_dc *user_info_dc = NULL;
+ const struct auth_user_info_dc *device_info_dc = NULL;
+ struct auth_claims auth_claims = {};
struct security_descriptor *rbcd_security_descriptor = NULL;
struct security_token *security_token = NULL;
uint32_t session_info_flags =
return code;
}
+ code = samba_kdc_get_user_info_dc(mem_ctx,
+ context,
+ kdc_db_ctx,
+ client,
+ &user_info_dc,
+ NULL /* resource_groups_out */);
+ if (code != 0) {
+ goto out;
+ }
+
+ code = samba_kdc_get_claims_data(mem_ctx,
+ context,
+ kdc_db_ctx,
+ client,
+ &auth_claims.user_claims);
+ if (code) {
+ goto out;
+ }
+
+ if (samba_kdc_entry_pac_valid_principal(device)) {
+ code = samba_kdc_get_user_info_dc(mem_ctx,
+ context,
+ kdc_db_ctx,
+ device,
+ &device_info_dc,
+ NULL /* resource_groups_out */);
+ if (code) {
+ goto out;
+ }
+
+ code = samba_kdc_get_claims_data(mem_ctx,
+ context,
+ kdc_db_ctx,
+ device,
+ &auth_claims.device_claims);
+ if (code) {
+ goto out;
+ }
+ }
+
proxy_dn = ldb_dn_get_linearized(proxy_skdc_entry->msg->dn);
if (proxy_dn == NULL) {
DBG_ERR("ldb_dn_get_linearized failed for proxy_dn!\n");
struct samba_kdc_db_context *kdc_db_ctx,
krb5_const_principal client_principal,
krb5_const_principal server_principal,
- const struct auth_user_info_dc *user_info_dc,
- const struct auth_user_info_dc *device_info_dc,
- const struct auth_claims auth_claims,
+ struct samba_kdc_entry_pac client,
+ struct samba_kdc_entry_pac device,
struct samba_kdc_entry *proxy_skdc_entry);
projects / thirdparty / samba.git / commitdiff
