From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 13 Mar 2025 00:40:18 +0000 (+0100)
Subject: s4:kdc: pass pac_princ to samba_kdc_entry_pac()
X-Git-Tag: tevent-0.17.0~388
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=225fa436bfe12049fe79381078c0e0bc3d96e647;p=thirdparty%2Fsamba.git

s4:kdc: pass pac_princ to samba_kdc_entry_pac()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 01450148a1c..4afae40893b 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -354,6 +354,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
 	}
 
 	client_pac_entry = samba_kdc_entry_pac(header_pac,
+					       client_principal,
 					       client_skdc_entry,
 					       client_krbtgt_skdc_entry);
 
@@ -380,6 +381,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
 		}
 
 		device_pac_entry = samba_kdc_entry_pac(device_pac,
+						       device_principal,
 						       device_skdc_entry,
 						       device_krbtgt_skdc_entry);
 	}
diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c
index 43764557e46..6dbf21edefd 100644
--- a/source4/kdc/kdc-glue.c
+++ b/source4/kdc/kdc-glue.c
@@ -69,6 +69,7 @@ int kdc_check_pac(krb5_context context,
 
 struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
 {
+	krb5_const_principal device_principal = kdc_request_get_armor_client_principal(r);
 	const hdb_entry *device = kdc_request_get_armor_client(r);
 	struct samba_kdc_entry *device_skdc_entry = NULL;
 	const hdb_entry *device_krbtgt = kdc_request_get_armor_server(r);
@@ -76,7 +77,7 @@ struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
 	const krb5_const_pac device_pac = kdc_request_get_armor_pac(r);
 
 	if (device_pac == NULL) {
-		return samba_kdc_entry_pac(NULL, NULL, NULL);
+		return samba_kdc_entry_pac(NULL, NULL, NULL, NULL);
 	}
 
 	/*
@@ -98,6 +99,7 @@ struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r)
 	}
 
 	return samba_kdc_entry_pac(device_pac,
+				   device_principal,
 				   device_skdc_entry,
 				   device_krbtgt_skdc_entry);
 }
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 4937c26b019..8a7c0b41c46 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -876,6 +876,7 @@ static bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac)
 
 #ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
 struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+					       krb5_const_principal pac_princ,
 					       struct samba_kdc_entry *entry,
 					       const struct samba_kdc_entry *krbtgt)
 {
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index e9a67d8f6e6..114dff3756e 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -57,6 +57,7 @@ struct samba_kdc_entry_pac {
 
 #ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
 struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+					       krb5_const_principal pac_princ,
 					       struct samba_kdc_entry *entry,
 					       const struct samba_kdc_entry *krbtgt_entry);
 #else /* MIT */
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 0afe8b2537b..7d2e421097c 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -155,6 +155,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 }
 
 static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
+					     krb5_const_principal client_principal,
 					     const hdb_entry *delegated_proxy,
 					     const hdb_entry *client,
 					     const hdb_entry *krbtgt,
@@ -203,6 +204,7 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r,
 
 	krb5_pac_set_trusted(pac, is_trusted);
 	client_pac_entry = samba_kdc_entry_pac(pac,
+					       client_principal,
 					       client_skdc_entry,
 					       krbtgt_skdc_entry);
 
@@ -275,7 +277,7 @@ out:
 /* Re-sign (and reform, including possibly new groups) a PAC */
 
 static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
-					   krb5_const_principal _client_principal,
+					   krb5_const_principal client_principal,
 					   hdb_entry *delegated_proxy,
 					   krb5_const_pac delegated_proxy_pac,
 					   hdb_entry *client,
@@ -330,6 +332,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
 	}
 
 	delegated_proxy_pac_entry = samba_kdc_entry_pac(delegated_proxy_pac,
+							delegated_proxy_principal,
 							delegated_proxy_skdc_entry,
 							delegated_proxy_krbtgt_entry);
 
@@ -347,6 +350,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r,
 	}
 
 	client_pac_entry = samba_kdc_entry_pac(*pac,
+					       client_principal,
 					       client_skdc_entry,
 					       krbtgt_skdc_entry);
 
@@ -401,7 +405,7 @@ out:
 /* Verify a PAC's SID and signatures */
 
 static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
-					    krb5_const_principal _client_principal,
+					    krb5_const_principal client_principal,
 					    hdb_entry *delegated_proxy,
 					    hdb_entry *client,
 					    hdb_entry *_server,
@@ -526,6 +530,7 @@ static krb5_error_code samba_wdc_verify_pac(void *priv, astgs_request_t r,
 	}
 
 	ret = samba_wdc_verify_pac2(r,
+				    client_principal,
 				    delegated_proxy,
 				    client,
 				    krbtgt,