From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 13 Mar 2025 00:21:03 +0000 (+0100)
Subject: s4:kdc: pass pac_princ to samba_kdc_entry_pac_from_trusted()
X-Git-Tag: tevent-0.17.0~389
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08608dc08ea7b5d44b259dbfdf6945359b1a34f0;p=thirdparty%2Fsamba.git

s4:kdc: pass pac_princ to samba_kdc_entry_pac_from_trusted()

For mit_samba_update_pac() we can only pass it optionally.
This should be fixed in future, but it requires changes
in MIT Kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index b045b6669e3..fafa2b10e15 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -514,6 +514,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
 	TALLOC_CTX *tmp_ctx = NULL;
 	krb5_error_code code;
 	struct samba_kdc_entry *client_skdc_entry = NULL;
+	krb5_const_principal client_principal = NULL;
 	struct samba_kdc_entry *server_skdc_entry = NULL;
 	struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
 	struct samba_kdc_entry_pac client_pac_entry = {};
@@ -527,10 +528,18 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
 		return ENOMEM;
 	}
 
+	/*
+	 * TODO: pass client_principal from the caller
+	 *
+	 * While krb5_db_entry for 'client' is optional,
+	 * the caller should pass client_principal,
+	 * for cross realm clients.
+	 */
 	if (client != NULL) {
 		client_skdc_entry =
 			talloc_get_type_abort(client->e_data,
 					      struct samba_kdc_entry);
+		client_principal = client->princ;
 	}
 
 	if (krbtgt == NULL) {
@@ -577,6 +586,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
 	}
 
 	client_pac_entry = samba_kdc_entry_pac_from_trusted(old_pac,
+							    client_principal,
 							    client_skdc_entry,
 							    krbtgt_skdc_entry,
 							    is_trusted);
@@ -797,6 +807,7 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
 	}
 
 	client_pac_entry = samba_kdc_entry_pac_from_trusted(header_pac,
+							    client_principal,
 							    NULL, /* client_skdc_entry */
 							    krbtgt_sentry.skdc_entry,
 							    true); /* is_trusted */
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 6eec1fc86d1..4937c26b019 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -891,6 +891,7 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
 }
 #else /* MIT */
 struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+							    krb5_const_principal pac_princ,
 							    struct samba_kdc_entry *entry,
 							    const struct samba_kdc_entry *krbtgt,
 							    bool is_trusted)
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 44ba85a4ee2..e9a67d8f6e6 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -61,6 +61,7 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
 					       const struct samba_kdc_entry *krbtgt_entry);
 #else /* MIT */
 struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+							    krb5_const_principal pac_princ,
 							    struct samba_kdc_entry *entry,
 							    const struct samba_kdc_entry *krbtgt_entry,
 							    bool is_trusted);