From: Stefan Metzmacher Date: Wed, 29 Jan 2025 15:26:39 +0000 (+0100) Subject: s4:kdc: always go through samba_kdc_get_device_info_blob() X-Git-Tag: tevent-0.17.0~769 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2db636088ef8f7ba34bae69fc596d2e2a7439b97;p=thirdparty%2Fsamba.git s4:kdc: always go through samba_kdc_get_device_info_blob() This means we always go through samba_kdc_get_user_info_dc() both for client and also device pac. It means we use the same logic regarding samba_krb5_pac_is_trusted() and calling authsam_update_user_info_dc(). It means we do all logic on struct auth_user_info_dc and only convert to PAC_DEVICE_INFO at the end. Before we tried a mix of calling authsam_update_user_info_dc() on a half constructed auth_user_info_dc, while trying to apply the diff on auth_user_info_dc to the also half constructed PAC_DEVICE_INFO. Which can't work once auth_user_info_dc() will apply sid filtering and the number of sids may shrink. Now we use authsam_update_user_info_dc() followed by auth_convert_user_info_dc_saminfo3() and samba_kdc_make_device_info(). Signed-off-by: Stefan Metzmacher Reviewed-by: Jennifer Sutton --- diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index ca07fd37744..1d3be9edd57 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -2027,58 +2027,6 @@ out: return ret; } -static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx, - struct ldb_context *samdb, - const union PAC_INFO *logon_info, - struct PAC_DEVICE_INFO *device_info) -{ - NTSTATUS nt_status; - struct auth_user_info_dc *device_info_dc = NULL; - union netr_Validation validation; - uint32_t i; - uint32_t num_existing_sids; - - /* - * This does a bit of unnecessary work, setting up fields we don't care - * about -- we only want the SIDs. - */ - validation.sam3 = &logon_info->logon_info.info->info3; - nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, - true, /* This user was authenticated */ - &device_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - return map_errno_from_nt_status(nt_status); - } - - num_existing_sids = device_info_dc->num_sids; - - /* - * We need to expand group memberships within our local domain, - * as the token might be generated by a trusted domain. - */ - nt_status = authsam_update_user_info_dc(mem_ctx, - samdb, - device_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - return map_errno_from_nt_status(nt_status); - } - - for (i = num_existing_sids; i < device_info_dc->num_sids; ++i) { - struct auth_SidAttr *device_sid = &device_info_dc->sids[i]; - const struct netr_SidAttr sid = (struct netr_SidAttr) { - .sid = &device_sid->sid, - .attributes = device_sid->attrs, - }; - - krb5_error_code ret = samba_kdc_add_domain_group_sid(device_info, &sid); - if (ret != 0) { - return ret; - } - } - - return 0; -} - static krb5_error_code samba_kdc_get_device_info_pac_blob(TALLOC_CTX *mem_ctx, union PAC_INFO *info, DATA_BLOB **_device_info_blob) @@ -2110,82 +2058,6 @@ static krb5_error_code samba_kdc_get_device_info_pac_blob(TALLOC_CTX *mem_ctx, return 0; } -static krb5_error_code samba_kdc_create_device_info_blob(TALLOC_CTX *mem_ctx, - krb5_context context, - struct ldb_context *samdb, - const krb5_const_pac device_pac, - DATA_BLOB **device_info_blob) -{ - TALLOC_CTX *frame = NULL; - krb5_data device_logon_info; - krb5_error_code code = EINVAL; - NTSTATUS nt_status; - - union PAC_INFO info; - enum ndr_err_code ndr_err; - DATA_BLOB device_logon_info_blob; - - union PAC_INFO logon_info; - - code = krb5_pac_get_buffer(context, device_pac, - PAC_TYPE_LOGON_INFO, - &device_logon_info); - if (code != 0) { - if (code == ENOENT) { - DBG_ERR("Device PAC is missing LOGON_INFO\n"); - } else { - DBG_ERR("Error getting LOGON_INFO from device PAC\n"); - } - return code; - } - - frame = talloc_stackframe(); - - device_logon_info_blob = data_blob_const(device_logon_info.data, - device_logon_info.length); - - ndr_err = ndr_pull_union_blob(&device_logon_info_blob, frame, &logon_info, - PAC_TYPE_LOGON_INFO, - (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO); - smb_krb5_free_data_contents(context, &device_logon_info); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - nt_status = ndr_map_error2ntstatus(ndr_err); - DBG_ERR("can't parse device PAC LOGON_INFO: %s\n", - nt_errstr(nt_status)); - talloc_free(frame); - return map_errno_from_nt_status(nt_status); - } - - /* - * When creating the device info structure, existing resource groups are - * discarded. - */ - code = samba_kdc_make_device_info(frame, - &logon_info.logon_info.info->info3, - NULL, /* resource_groups */ - &info); - if (code != 0) { - talloc_free(frame); - return code; - } - - code = samba_kdc_update_device_info(frame, - samdb, - &logon_info, - info.device_info.info); - if (code != 0) { - talloc_free(frame); - return code; - } - - code = samba_kdc_get_device_info_pac_blob(mem_ctx, - &info, - device_info_blob); - - talloc_free(frame); - return code; -} - static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, krb5_context context, struct ldb_context *samdb, @@ -2553,25 +2425,13 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, device_claims_blob_ptr = &device_claims_blob; - if (samba_krb5_pac_is_trusted(device)) { - code = samba_kdc_create_device_info_blob(tmp_ctx, - context, - samdb, - device.pac, - &device_info_blob); - if (code != 0) { - goto done; - } - } else { - /* Don't trust an RODC‐issued PAC; regenerate the device info. */ - code = samba_kdc_get_device_info_blob(tmp_ctx, - context, - samdb, - device, - &device_info_blob); - if (code != 0) { - goto done; - } + code = samba_kdc_get_device_info_blob(tmp_ctx, + context, + samdb, + device, + &device_info_blob); + if (code != 0) { + goto done; } } }