From: Stefan Metzmacher Date: Thu, 24 Feb 2022 22:57:31 +0000 (+0100) Subject: s4:kdc: pass client_claims, device_info, device_claims into samba_make_krb5_pac() X-Git-Tag: talloc-2.4.0~578 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03250eefaaf21e819e8e855fc0db6ae25da6a9ee;p=thirdparty%2Fsamba.git s4:kdc: pass client_claims, device_info, device_claims into samba_make_krb5_pac() This allows us to add claims blobs to the PAC once we have the ability to create them. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index a3d28d71d56..9ebc773137a 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -535,6 +535,9 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, pac_attrs_blob, requester_sid_blob, NULL, + NULL, + NULL, + NULL, *pac); talloc_free(tmp_ctx); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index e77d163c075..95d86638836 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -503,6 +503,15 @@ krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context, * @param[in] deleg_blob Fill the delegation info PAC buffer with the given * blob, use NULL to ignore it. * + * @param[in] client_claims_blob Fill the client claims info PAC buffer with the + * given blob, use NULL to ignore it. + * + * @param[in] device_info_blob Fill the device info PAC buffer with the given + * blob, use NULL to ignore it. + * + * @param[in] device_claims_blob Fill the device claims info PAC buffer with the given + * blob, use NULL to ignore it. + * * @param[in] pac The pac buffer to fill. This should be allocated with * krb5_pac_init() already. * @@ -515,6 +524,9 @@ krb5_error_code samba_make_krb5_pac(krb5_context context, const DATA_BLOB *pac_attrs_blob, const DATA_BLOB *requester_sid_blob, const DATA_BLOB *deleg_blob, + const DATA_BLOB *client_claims_blob, + const DATA_BLOB *device_info_blob, + const DATA_BLOB *device_claims_blob, krb5_pac pac) { krb5_data logon_data; @@ -535,6 +547,36 @@ krb5_error_code samba_make_krb5_pac(krb5_context context, return ret; } + if (device_info_blob != NULL) { + krb5_data device_info_data = smb_krb5_data_from_blob(*device_info_blob); + ret = krb5_pac_add_buffer(context, pac, + PAC_TYPE_DEVICE_INFO, + &device_info_data); + if (ret != 0) { + return ret; + } + } + + if (client_claims_blob != NULL) { + krb5_data client_claims_data = smb_krb5_data_from_blob(*client_claims_blob); + ret = krb5_pac_add_buffer(context, pac, + PAC_TYPE_CLIENT_CLAIMS_INFO, + &client_claims_data); + if (ret != 0) { + return ret; + } + } + + if (device_claims_blob != NULL) { + krb5_data device_claims_data = smb_krb5_data_from_blob(*device_claims_blob); + ret = krb5_pac_add_buffer(context, pac, + PAC_TYPE_DEVICE_CLAIMS_INFO, + &device_claims_data); + if (ret != 0) { + return ret; + } + } + if (cred_blob != NULL) { krb5_data cred_data = smb_krb5_data_from_blob(*cred_blob); ret = krb5_pac_add_buffer(context, pac, diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 7b7c489d30d..8cd0a99da80 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -48,6 +48,9 @@ krb5_error_code samba_make_krb5_pac(krb5_context context, const DATA_BLOB *pac_attrs_blob, const DATA_BLOB *requester_sid_blob, const DATA_BLOB *deleg_blob, + const DATA_BLOB *client_claims_blob, + const DATA_BLOB *device_info_blob, + const DATA_BLOB *device_claims_blob, krb5_pac pac); bool samba_princ_needs_pac(struct samba_kdc_entry *skdc_entry); diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 2c9b81e0add..eca0a4c5155 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -161,7 +161,9 @@ static krb5_error_code samba_wdc_get_pac(void *priv, ret = samba_make_krb5_pac(context, logon_blob, cred_blob, upn_blob, pac_attrs_blob, - requester_sid_blob, NULL, *pac); + requester_sid_blob, NULL, + NULL, NULL, NULL, + *pac); talloc_free(mem_ctx); return ret;