From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 16 Mar 2023 22:14:15 +0000 (+1300)
Subject: s4:kdc: Have samba_kdc_update_pac() take device parameters
X-Git-Tag: talloc-2.4.1~1352
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e97ea3f35e3d147b491bb2da959b0f8a6207835;p=thirdparty%2Fsamba.git

s4:kdc: Have samba_kdc_update_pac() take device parameters

These will be used later when we add support for compound
authentication.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index c3c07926cca..4d7d60cb765 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -651,6 +651,8 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 				    server_skdc_entry,
 				    krbtgt_skdc_entry,
 				    delegated_proxy_principal,
+				    NULL, /* device */
+				    NULL, /* device_pac */
 				    *pac,
 				    new_pac);
 	if (code != 0) {
@@ -752,6 +754,8 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
 				    server_skdc_entry,
 				    krbtgt_skdc_entry,
 				    NULL, /* delegated_proxy_principal */
+				    NULL, /* device */
+				    NULL, /* device_pac */
 				    old_pac,
 				    new_pac);
 	if (code != 0) {
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 70c36c4b953..80e72579cc1 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1727,6 +1727,12 @@ WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
  *                                  updating the constrained delegation PAC
  *                                  buffer.
 
+ * @param device    The computer's samba kdc entry; used for compound
+ *                  authentication.
+
+ * @param device_pac        The PAC from the computer's TGT; used
+ *                          for compound authentication.
+
  * @param old_pac                   The old PAC
 
  * @param new_pac                   The new already allocated PAC
@@ -1743,6 +1749,8 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 				     const struct samba_kdc_entry *server,
 				     const struct samba_kdc_entry *krbtgt,
 				     const krb5_principal delegated_proxy_principal,
+				     const struct samba_kdc_entry *device,
+				     const krb5_const_pac *device_pac,
 				     const krb5_pac old_pac,
 				     const krb5_pac new_pac)
 {
@@ -1811,6 +1819,31 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 		}
 	}
 
+	if (device != NULL) {
+		SMB_ASSERT(*device_pac != NULL);
+
+		/*
+		 * Check the objectSID of the device and pac data are the same.
+		 * Does a parse and SID check, but no crypto.
+		 */
+		code = samba_kdc_validate_pac_blob(context,
+						   device,
+						   *device_pac);
+		if (code != 0) {
+			goto done;
+		}
+
+		/*
+		 * TODO: When we support compound authentication, we will use
+		 * the device PAC to generate PAC buffers for Device Info
+		 * (containing the computer account's groups) and Device Claims
+		 * (containing claims for the computer account), and insert them
+		 * into the emitted PAC.
+		 *
+		 * See [MS-KILE 1.3.4], [MS-KILE 3.3.5.7.4].
+		 */
+	}
+
 	if (!is_trusted) {
 		struct auth_user_info_dc *user_info_dc = NULL;
 		WERROR werr;
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index c797a389c20..5c83fba934c 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -126,5 +126,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 				     const struct samba_kdc_entry *server,
 				     const struct samba_kdc_entry *krbtgt,
 				     krb5_principal delegated_proxy_principal,
+				     const struct samba_kdc_entry *device,
+				     const krb5_const_pac *device_pac,
 				     krb5_pac old_pac,
 				     krb5_pac new_pac);
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 6fc4f817034..eb88e52f0fb 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -238,6 +238,7 @@ static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r,
 	struct samba_kdc_entry *client_skdc_entry = NULL;
 	struct samba_kdc_entry *server_skdc_entry =
 		talloc_get_type_abort(server->context, struct samba_kdc_entry);
+	struct samba_kdc_entry *device_skdc_entry = NULL;
 	struct samba_kdc_entry *krbtgt_skdc_entry =
 		talloc_get_type_abort(krbtgt->context, struct samba_kdc_entry);
 	TALLOC_CTX *mem_ctx = NULL;
@@ -265,22 +266,8 @@ static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r,
 	}
 
 	if (device != NULL) {
-		struct samba_kdc_entry *device_skdc_entry = NULL;
-
 		device_skdc_entry = talloc_get_type_abort(device->context,
 							  struct samba_kdc_entry);
-
-		/*
-		 * Check the objectSID of the device and pac data are the same.
-		 * Does a parse and SID check, but no crypto.
-		 */
-		ret = samba_kdc_validate_pac_blob(context,
-						  device_skdc_entry,
-						  *device_pac);
-		if (ret != 0) {
-			talloc_free(mem_ctx);
-			return ret;
-		}
 	}
 
 	/*
@@ -371,6 +358,8 @@ static krb5_error_code samba_wdc_reget_pac2(astgs_request_t r,
 				   server_skdc_entry,
 				   krbtgt_skdc_entry,
 				   delegated_proxy_principal,
+				   device_skdc_entry,
+				   device_pac,
 				   *pac,
 				   new_pac);
 	if (ret != 0) {