s4:mitkdc: Add support for S4U2Self & S4U2Proxy

Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 4b4dfc963da672f604c09c10c01159367d30e440..8b18fdb0ff9ca3e79991b8ac1e2f12507aced164 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -331,7 +331,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid)
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_no_krbtgt_link
@@ -410,8 +409,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 # PAC request tests
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_none
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_true
@@ -429,3 +426,16 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_nonexisting
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting
+#
+# S4U tests
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
\ No newline at end of file

diff --git a/selftest/knownfail_mit_kdc_pre_1_20 b/selftest/knownfail_mit_kdc_pre_1_20
index aef1755b6d87e2299e5dd65e38eac935d5bb36b8..b23e0562f8df135988c8c61e119ffecbf6612889 100644 (file)
--- a/selftest/knownfail_mit_kdc_pre_1_20
+++ b/selftest/knownfail_mit_kdc_pre_1_20
@@ -144,4 +144,54 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
 #
 # PAC attributes tests
 #
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid)
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none
+#
+# PAC request tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true
+#
+# S4U tests
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_constrained_delegation_old_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_existing_delegation_info\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_missing_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_missing_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_pac_options_rbcd\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_unkeyed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_unkeyed_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_zeroed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_zeroed_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_crc32_unkeyed_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_md5_unkeyed_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_sha1_unkeyed_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname\(

diff --git a/selftest/skip_mit_kdc b/selftest/skip_mit_kdc
index ea644638c9f6a737a8b1778eb124adf25d3f6b74..4a51c98ea0b6e1272f4ed562fb48ddd52deec6a5 100644 (file)
--- a/selftest/skip_mit_kdc
+++ b/selftest/skip_mit_kdc
@@ -3,4 +3,3 @@
 .*RODC
 ^samba4.ntvfs.cifs.ntlm.base.unlink
 ^samba4.ntvfs.cifs.krb5.base.unlink
-^samba.tests.krb5.s4u_tests

diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index cbc9bbb9dae8dcad3f0f44076fa8a21593567823..f1b2d73802013e1211b95f9310cdac97216eb3df 100644 (file)
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -686,41 +686,17 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
                                                       const krb5_db_entry *server,
                                                       krb5_const_principal proxy)
 {
-       struct mit_samba_context *mit_ctx;
-
-       /*
-        * Names are quite odd and confusing in the current implementation.
-        * The following mappings should help understanding what is what.
-        * client ->  client to impersonate
-        * server; -> delegating service
-        * proxy; -> target principal
-        */
-       krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
-
-       char *target_name = NULL;
-       bool is_enterprise;
-       krb5_error_code code;
+       struct mit_samba_context *mit_ctx = NULL;
 
        mit_ctx = ks_get_context(context);
        if (mit_ctx == NULL) {
                return KRB5_KDB_DBNOTINITED;
        }
 
-       code = krb5_unparse_name(context, proxy, &target_name);
-       if (code) {
-               goto done;
-       }
-
-       is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
+       return mit_samba_check_s4u2proxy(mit_ctx,
+                                        server,
+                                        proxy);
 
-       code = mit_samba_check_s4u2proxy(mit_ctx,
-                                        delegating_service,
-                                        target_name,
-                                        is_enterprise);
-
-done:
-       free(target_name);
-       return code;
 }
 
 

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index e6086f7cc8d80b55fc00efeae42d14b2bcfe5c82..900c2ce47e4034f95688bc9641a1eacf06669662 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -1473,40 +1473,22 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
 }
 
 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
-                             krb5_db_entry *kentry,
-                             const char *target_name,
-                             bool is_nt_enterprise_name)
+                             const krb5_db_entry *server,
+                             krb5_const_principal target_principal)
 {
-#if 1
-       /*
-        * This is disabled because mit_samba_update_pac_data() does not handle
-        * S4U_DELEGATION_INFO
-        */
-
+#if KRB5_KDB_DAL_MAJOR_VERSION < 9
        return KRB5KDC_ERR_BADOPTION;
 #else
-       krb5_principal target_principal;
-       int flags = 0;
-       int ret;
-
-       if (is_nt_enterprise_name) {
-               flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
-       }
-
-       ret = krb5_parse_name_flags(ctx->context, target_name,
-                                   flags, &target_principal);
-       if (ret) {
-               return ret;
-       }
-
-       ret = samba_kdc_check_s4u2proxy(ctx->context,
-                                       ctx->db_ctx,
-                                       skdc_entry,
-                                       target_principal);
+       struct samba_kdc_entry *server_skdc_entry =
+               talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
+       krb5_error_code code;
 
-       krb5_free_principal(ctx->context, target_principal);
+       code = samba_kdc_check_s4u2proxy(ctx->context,
+                                        ctx->db_ctx,
+                                        server_skdc_entry,
+                                        target_principal);
 
-       return ret;
+       return code;
 #endif
 }
 

diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
index f34fb1bbfd5fb5512203a5317f8c1e125a65dc4d..662bf98201d60ac3ce22eeb48d938287b998198e 100644 (file)
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -83,9 +83,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
                                  DATA_BLOB *e_data);
 
 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
-                             krb5_db_entry *kentry,
-                             const char *target_name,
-                             bool is_nt_enterprise_name);
+                             const krb5_db_entry *server,
+                             krb5_const_principal target_principal);
 
 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
                                      char *pwd,