From: Joseph Sutton Date: Tue, 8 Aug 2023 22:47:08 +0000 (+1200) Subject: s4:kdc: Don’t issue forwardable or proxiable tickets to Protected Users X-Git-Tag: tevent-0.16.0~1012 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0cf658cd10d3a2cee429615f3c01bb6bd4bd4ddb;p=thirdparty%2Fsamba.git s4:kdc: Don’t issue forwardable or proxiable tickets to Protected Users If an authentication policy enforces a maximum TGT lifetime for a Protected User, that limit should stand in place of the four-hour limit usually applied to Protected Users; we should nevertheless continue to ensure that forwardable or proxiable tickets are not issued to such users. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 16a0eaf0fae..975ab55da0d 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -63,7 +63,10 @@ # ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_empty.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_empty.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc +# +# This test fails; but that is acceptable, for we have an alternative test +# (test_authn_policy_protected_flags_with_policy_error) that expects to receive +# a policy error. ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc # # PK-INIT tests diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20 index f6de7fd56d7..397bca2321e 100644 --- a/selftest/knownfail_mit_kdc_1_20 +++ b/selftest/knownfail_mit_kdc_1_20 @@ -72,8 +72,11 @@ # ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_from_no_fast_negative_lifetime.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_s4u2self_constrained_delegation.ad_dc +# +# This test fails; but that is acceptable, for we have an alternative test +# (test_authn_policy_protected_flags_without_policy_error) that expects to +# receive a policy error. ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_with_policy_error.ad_dc -^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_protected_flags_without_policy_error.ad_dc # # PK-INIT tests # diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 41eff9c08bb..572bf95a966 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1478,17 +1478,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, protected_user = result; - if (protected_user && enforced_tgt_lifetime_raw == 0) - { - /* - * If a TGT lifetime hasn’t been set, Protected Users - * enforces a four hour TGT lifetime. - */ - *entry->max_life = MIN(*entry->max_life, 4 * 60 * 60); - *entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60); - + if (protected_user) { entry->flags.forwardable = 0; entry->flags.proxiable = 0; + + if (enforced_tgt_lifetime_raw == 0) { + /* + * If a TGT lifetime hasn’t been set, Protected + * Users enforces a four hour TGT lifetime. + */ + *entry->max_life = MIN(*entry->max_life, 4 * 60 * 60); + *entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60); + } } }