From: Stefan Metzmacher Date: Fri, 29 Nov 2024 11:08:00 +0000 (+0100) Subject: s4:kdc: let struct samba_kdc_entry_pac remember the krbtgt samba_kdc_entry X-Git-Tag: tevent-0.17.0~768 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5275bbc3c12a9fe96fe741e70170a3c1d3de40a7;p=thirdparty%2Fsamba.git s4:kdc: let struct samba_kdc_entry_pac remember the krbtgt samba_kdc_entry This will allow us later to find the information needed to do sid filtering of the pac. Signed-off-by: Stefan Metzmacher Reviewed-by: Jennifer Sutton --- diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 32c6d2f8c22..33b2522d4c9 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -355,7 +355,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, client_pac_entry = samba_kdc_entry_pac(header_pac, client_skdc_entry, - samba_kdc_entry_is_trust(client_krbtgt_skdc_entry)); + client_krbtgt_skdc_entry); code = samba_kdc_get_user_info_dc(mem_ctx, context, @@ -391,7 +391,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, device_pac_entry = samba_kdc_entry_pac(device_pac, device_skdc_entry, - samba_kdc_entry_is_trust(device_krbtgt_skdc_entry)); + device_krbtgt_skdc_entry); code = samba_kdc_get_user_info_dc(mem_ctx, context, diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c index 8b98d0f8f7e..6fd52ef3985 100644 --- a/source4/kdc/kdc-glue.c +++ b/source4/kdc/kdc-glue.c @@ -88,5 +88,5 @@ struct samba_kdc_entry_pac samba_kdc_get_device_pac(const astgs_request_t r) return samba_kdc_entry_pac(device_pac, device_skdc_entry, - samba_kdc_entry_is_trust(device_krbtgt_skdc_entry)); + device_krbtgt_skdc_entry); } diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 4af02fa00d0..e6aa94aee37 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -717,7 +717,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, client_pac_entry = samba_kdc_entry_pac_from_trusted(old_pac, client_skdc_entry, - samba_kdc_entry_is_trust(krbtgt_skdc_entry), + krbtgt_skdc_entry, is_trusted); code = samba_kdc_verify_pac(tmp_ctx, diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 1d3be9edd57..2f21d7addbc 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -870,24 +870,24 @@ bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac) #ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */ struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac, struct samba_kdc_entry *entry, - bool is_from_trust) + const struct samba_kdc_entry *krbtgt) { return (struct samba_kdc_entry_pac) { .entry = entry, + .krbtgt = krbtgt, .pac = pac, - .is_from_trust = is_from_trust, }; } #else /* MIT */ struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac, struct samba_kdc_entry *entry, - bool is_from_trust, + const struct samba_kdc_entry *krbtgt, bool is_trusted) { return (struct samba_kdc_entry_pac) { .entry = entry, + .krbtgt = krbtgt, .pac = pac, - .is_from_trust = is_from_trust, .pac_is_trusted = is_trusted, }; } @@ -895,7 +895,7 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac, static bool samba_kdc_entry_pac_issued_by_trust(const struct samba_kdc_entry_pac entry) { - return entry.pac != NULL && entry.is_from_trust; + return entry.pac != NULL && samba_kdc_entry_is_trust(entry.krbtgt); } NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx, diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index aa022f7b001..3a1a99708a8 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -49,8 +49,8 @@ bool samba_kdc_entry_is_trust(const struct samba_kdc_entry *entry); struct samba_kdc_entry_pac { struct samba_kdc_entry *entry; + const struct samba_kdc_entry *krbtgt; krb5_const_pac pac; /* NULL indicates that no PAC is present. */ - bool is_from_trust : 1; #ifndef HAVE_KRB5_PAC_IS_TRUSTED /* MIT */ bool pac_is_trusted : 1; #endif /* HAVE_KRB5_PAC_IS_TRUSTED */ @@ -66,11 +66,11 @@ bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac); #ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */ struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac, struct samba_kdc_entry *entry, - bool is_from_trust); + const struct samba_kdc_entry *krbtgt_entry); #else /* MIT */ struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac, struct samba_kdc_entry *entry, - bool is_from_trust, + const struct samba_kdc_entry *krbtgt_entry, bool is_trusted); #endif /* HAVE_KRB5_PAC_IS_TRUSTED */ diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 2d7e6173a51..330d21975b7 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -216,7 +216,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, device_pac_entry = samba_kdc_entry_pac(device_pac, device_skdc_entry, - samba_kdc_entry_is_trust(device_krbtgt_skdc_entry)); + device_krbtgt_skdc_entry); ret = samba_kdc_get_user_info_dc(mem_ctx, context, @@ -396,7 +396,7 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r, krb5_pac_set_trusted(pac, is_trusted); client_pac_entry = samba_kdc_entry_pac(pac, client_skdc_entry, - samba_kdc_entry_is_trust(krbtgt_skdc_entry)); + krbtgt_skdc_entry); if (is_s4u2self) { flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION; @@ -515,7 +515,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, * not have been signed * or issued by a krbtgt * trust account. */ - false /* is_from_trust */); + NULL /* krbtgt */); if (client != NULL) { client_skdc_entry = talloc_get_type_abort(client->context, @@ -532,7 +532,7 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, client_pac_entry = samba_kdc_entry_pac(*pac, client_skdc_entry, - samba_kdc_entry_is_trust(krbtgt_skdc_entry)); + krbtgt_skdc_entry); ret = samba_kdc_update_pac(mem_ctx, context,