From: Joseph Sutton Date: Thu, 17 Mar 2022 22:13:40 +0000 (+1300) Subject: s4:kdc: Add function to get user_info_dc from database X-Git-Tag: tevent-0.12.0~369 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=233ce6b2b88851bdad8c12ae668e2881beba2cd7;p=thirdparty%2Fsamba.git s4:kdc: Add function to get user_info_dc from database The resulting user_info_dc is kept in the 'samba_kdc_entry' structure, so it can be reused between calls. This allows us to simplify samba_kdc_get_pac_blobs(), as it no longer need to return a user_info_dc structure. Signed-off-by: Joseph Sutton Reviewed-by: Stefan Metzmacher --- diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index f8e0b24fd6e..eef2a9dc4c0 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -37,6 +37,7 @@ #include "kdc/sdb.h" #include "kdc/samba_kdc.h" #include "kdc/db-glue.h" +#include "kdc/pac-glue.h" #include "librpc/gen_ndr/ndr_irpc_c.h" #include "lib/messaging/irpc.h" diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 2503dc5d612..80e3523e9c4 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -511,8 +511,7 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, &upn_dns_info_blob, is_krbtgt ? &pac_attrs_blob : NULL, PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY, - is_krbtgt ? &requester_sid_blob : NULL, - NULL); + is_krbtgt ? &requester_sid_blob : NULL); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); if (NT_STATUS_EQUAL(nt_status, @@ -968,18 +967,11 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, return ENOMEM; } - status = authsam_make_user_info_dc(tmp_ctx, - ctx->db_ctx->samdb, - lpcfg_netbios_name(ctx->db_ctx->lp_ctx), - lpcfg_sam_name(ctx->db_ctx->lp_ctx), - lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx), - p->realm_dn, - p->msg, - data_blob(NULL, 0), - data_blob(NULL, 0), - &user_info_dc); + status = samba_kdc_get_user_info_from_db(p, + p->msg, + &user_info_dc); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1,("authsam_make_user_info_dc failed: %s\n", + DEBUG(1,("samba_kdc_get_user_info_from_db failed: %s\n", nt_errstr(status))); talloc_free(tmp_ctx); return EINVAL; diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index efeda9a998c..5b0a454f34f 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -828,10 +828,37 @@ int samba_krbtgt_is_in_db(struct samba_kdc_entry *p, } /* - * We return not just the blobs, but also the user_info_dc because we - * will need, in the RODC case, to confirm that the returned user is - * permitted to be replicated to the KDC + * Look up the user's info in the database and create a auth_user_info_dc + * structure. If the resulting structure is not talloc_free()d, it will be + * reused on future calls to this function. */ +NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry, + struct ldb_message *msg, + struct auth_user_info_dc **user_info_dc) +{ + if (skdc_entry->user_info_dc == NULL) { + NTSTATUS nt_status; + struct loadparm_context *lp_ctx = skdc_entry->kdc_db_ctx->lp_ctx; + + nt_status = authsam_make_user_info_dc(skdc_entry, + skdc_entry->kdc_db_ctx->samdb, + lpcfg_netbios_name(lp_ctx), + lpcfg_sam_name(lp_ctx), + lpcfg_sam_dnsname(lp_ctx), + skdc_entry->realm_dn, + msg, + data_blob_null, + data_blob_null, + &skdc_entry->user_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + } + + *user_info_dc = skdc_entry->user_info_dc; + return NT_STATUS_OK; +} + NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx, struct samba_kdc_entry *p, DATA_BLOB **_logon_info_blob, @@ -839,10 +866,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx, DATA_BLOB **_upn_info_blob, DATA_BLOB **_pac_attrs_blob, uint64_t pac_attributes, - DATA_BLOB **_requester_sid_blob, - struct auth_user_info_dc **_user_info_dc) + DATA_BLOB **_requester_sid_blob) { - struct auth_user_info_dc *user_info_dc; + struct auth_user_info_dc *user_info_dc = NULL; DATA_BLOB *logon_blob = NULL; DATA_BLOB *cred_blob = NULL; DATA_BLOB *upn_blob = NULL; @@ -893,15 +919,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx, } } - nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb, - lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx), - lpcfg_sam_name(p->kdc_db_ctx->lp_ctx), - lpcfg_sam_dnsname(p->kdc_db_ctx->lp_ctx), - p->realm_dn, - p->msg, - data_blob(NULL, 0), - data_blob(NULL, 0), - &user_info_dc); + nt_status = samba_kdc_get_user_info_from_db(p, + p->msg, + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Getting user info for PAC failed: %s\n", nt_errstr(nt_status))); @@ -950,15 +970,6 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx, } } - /* - * Return to the caller to allow a check on the allowed/denied - * RODC replication groups - */ - if (_user_info_dc == NULL) { - TALLOC_FREE(user_info_dc); - } else { - *_user_info_dc = user_info_dc; - } *_logon_info_blob = logon_blob; if (_cred_ndr_blob != NULL) { *_cred_ndr_blob = cred_blob; @@ -1473,8 +1484,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, &upn_blob, NULL, PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY, - &requester_sid_blob, - &user_info_dc); + &requester_sid_blob); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_pac_blobs failed: %s\n", nt_errstr(nt_status)); @@ -1482,6 +1492,16 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, goto done; } + nt_status = samba_kdc_get_user_info_from_db(client, + client->msg, + &user_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n", + nt_errstr(nt_status)); + code = KRB5KDC_ERR_TGT_REVOKED; + goto done; + } + /* * Check if the SID list in the user_info_dc intersects * correctly with the RODC allow/deny lists. diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 8c68a0455fd..563214421c9 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -55,6 +55,10 @@ int samba_krbtgt_is_in_db(struct samba_kdc_entry *skdc_entry, bool *is_in_db, bool *is_untrusted); +NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry, + struct ldb_message *msg, + struct auth_user_info_dc **user_info_dc); + NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx, struct samba_kdc_entry *skdc_entry, DATA_BLOB **_logon_info_blob, @@ -62,8 +66,7 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx, DATA_BLOB **_upn_info_blob, DATA_BLOB **_pac_attrs_blob, uint64_t pac_attributes, - DATA_BLOB **_requester_sid_blob, - struct auth_user_info_dc **_user_info_dc); + DATA_BLOB **_requester_sid_blob); NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx, krb5_context context, struct ldb_context *samdb, diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index 9b16fcc3b92..52f8d4a4221 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -56,6 +56,7 @@ struct samba_kdc_entry { struct samba_kdc_db_context *kdc_db_ctx; struct ldb_message *msg; struct ldb_dn *realm_dn; + struct auth_user_info_dc *user_info_dc; bool is_krbtgt; bool is_rodc; bool is_trust; diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index d1a9a096709..2f207e4c441 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -78,8 +78,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, &upn_blob, is_krbtgt ? &pac_attrs_blob : NULL, pac_attributes, - is_krbtgt ? &requester_sid_blob : NULL, - NULL); + is_krbtgt ? &requester_sid_blob : NULL); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return EINVAL; diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index 26a68e9c37c..5c16e68ee0a 100644 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -134,7 +134,7 @@ bld.SAMBA_LIBRARY('pac', bld.SAMBA_LIBRARY('db-glue', source='db-glue.c', - deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING', + deps='ldb auth4_sam common_auth samba-credentials sdb samba-hostconfig com_err RPC_NDR_IRPC MESSAGING PAC_GLUE', private_library=True, )