s4:kdc: fetch client_claims_blob from samba_kdc_get_pac_blobs()

The blob will be empty until we properly support claims.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 9ebc773137ac35140a8644c5167514ba00f5b25c..cd4a107154bfad0cfd86f64896f51ef6dad846f5 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -505,7 +505,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                                            &upn_dns_info_blob,
                                            is_krbtgt ? &pac_attrs_blob : NULL,
                                            PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
-                                           is_krbtgt ? &requester_sid_blob : NULL);
+                                           is_krbtgt ? &requester_sid_blob : NULL,
+                                           NULL);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(tmp_ctx);
                if (NT_STATUS_EQUAL(nt_status,

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 95d86638836aaa01d5b224718709ad9a2f5d1d55..5e20f296a654a1ebbc349bdea3899cbe7da2e695 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -847,7 +847,8 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                 DATA_BLOB **_upn_info_blob,
                                 DATA_BLOB **_pac_attrs_blob,
                                 uint64_t pac_attributes,
-                                DATA_BLOB **_requester_sid_blob)
+                                DATA_BLOB **_requester_sid_blob,
+                                DATA_BLOB **_client_claims_blob)
 {
        struct auth_user_info_dc *user_info_dc = NULL;
        DATA_BLOB *logon_blob = NULL;
@@ -855,6 +856,7 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
        DATA_BLOB *upn_blob = NULL;
        DATA_BLOB *pac_attrs_blob = NULL;
        DATA_BLOB *requester_sid_blob = NULL;
+       DATA_BLOB *client_claims_blob = NULL;
        NTSTATUS nt_status;
 
        *_logon_info_blob = NULL;
@@ -868,6 +870,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
        if (_requester_sid_blob != NULL) {
                *_requester_sid_blob = NULL;
        }
+       if (_client_claims_blob != NULL) {
+               *_client_claims_blob = NULL;
+       }
 
        logon_blob = talloc_zero(mem_ctx, DATA_BLOB);
        if (logon_blob == NULL) {
@@ -900,6 +905,19 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                }
        }
 
+       if (_client_claims_blob != NULL) {
+               /*
+                * Until we support claims we just
+                * return an empty blob,
+                * that matches what Windows is doing
+                * without defined claims
+                */
+               client_claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
+               if (client_claims_blob == NULL) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+       }
+
        nt_status = samba_kdc_get_user_info_from_db(p,
                                                    p->msg,
                                                    &user_info_dc);
@@ -970,6 +988,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
        if (_requester_sid_blob != NULL) {
                *_requester_sid_blob = requester_sid_blob;
        }
+       if (_client_claims_blob != NULL) {
+               *_client_claims_blob = client_claims_blob;
+       }
        return NT_STATUS_OK;
 }
 
@@ -1154,7 +1175,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 }
 
 static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
-                                              krb5_pac pac,
+                                              krb5_const_pac pac,
                                               krb5_context context,
                                               struct dom_sid *sid)
 {
@@ -1202,8 +1223,8 @@ static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
 /* Does a parse and SID check, but no crypto. */
 krb5_error_code samba_kdc_validate_pac_blob(
                krb5_context context,
-               struct samba_kdc_entry *client_skdc_entry,
-               const krb5_pac pac)
+               const struct samba_kdc_entry *client_skdc_entry,
+               const krb5_const_pac pac)
 {
        TALLOC_CTX *frame = talloc_stackframe();
        struct auth_user_info_dc *pac_user_info = NULL;
@@ -1400,6 +1421,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
        DATA_BLOB *upn_blob = NULL;
        DATA_BLOB *deleg_blob = NULL;
        DATA_BLOB *requester_sid_blob = NULL;
+       DATA_BLOB *client_claims_blob = NULL;
        bool is_untrusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
        int is_tgs = false;
        size_t num_types = 0;
@@ -1486,7 +1508,8 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                                                    &upn_blob,
                                                    NULL,
                                                    PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
-                                                   &requester_sid_blob);
+                                                   &requester_sid_blob,
+                                                   &client_claims_blob);
                if (!NT_STATUS_IS_OK(nt_status)) {
                        DBG_ERR("samba_kdc_get_pac_blobs failed: %s\n",
                                nt_errstr(nt_status));

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 8cd0a99da80ae9ef76295990b2b90a55c290a7d4..046264cca123455da71e6d3abb8272b4d5055c2c 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -76,7 +76,8 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
                                 DATA_BLOB **_upn_info_blob,
                                 DATA_BLOB **_pac_attrs_blob,
                                 uint64_t pac_attributes,
-                                DATA_BLOB **_requester_sid_blob);
+                                DATA_BLOB **_requester_sid_blob,
+                                DATA_BLOB **_client_claims_blob);
 NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
                                   krb5_context context,
                                   struct ldb_context *samdb,
@@ -100,8 +101,8 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 
 krb5_error_code samba_kdc_validate_pac_blob(
                krb5_context context,
-               struct samba_kdc_entry *client_skdc_entry,
-               const krb5_pac pac);
+               const struct samba_kdc_entry *client_skdc_entry,
+               const krb5_const_pac pac);
 
 /*
  * In the RODC case, to confirm that the returned user is permitted to

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index eca0a4c5155a713164f4871bc6380c390461500f..cc6c6d1bd6b71cdd3559963fd65fa293e63af0db 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -134,7 +134,8 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
                                            &upn_blob,
                                            is_krbtgt ? &pac_attrs_blob : NULL,
                                            pac_attributes,
-                                           is_krbtgt ? &requester_sid_blob : NULL);
+                                           is_krbtgt ? &requester_sid_blob : NULL,
+                                           NULL);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(mem_ctx);
                return EINVAL;