From: Stefan Metzmacher Date: Thu, 20 Feb 2025 14:16:19 +0000 (+0100) Subject: s4:kdc: pass samba_kdc_entry_pac to samba_kdc_check_s4u2proxy_rbcd() X-Git-Tag: tevent-0.17.0~659 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55c47104c1430a6feb1719949c0fad6a4a767b11;p=thirdparty%2Fsamba.git s4:kdc: pass samba_kdc_entry_pac to samba_kdc_check_s4u2proxy_rbcd() This simplifies and unifies the callers. For the MIT kdc we avoid using via kerberos_pac_to_user_info_dc() directly. Now both go via samba_kdc_get_user_info_dc() and MIT also handles the samba_kdc_get_claims_data() path. For the MIT kdc it means kerberos_pac_to_user_info_dc() is now called via samba_kdc_get_user_info_dc() -> samba_kdc_get_user_info_from_pac() and it is followed by authsam_update_user_info_dc() consistently. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index eb8cd9686cd..f09333308c7 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -332,10 +332,8 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, struct samba_kdc_entry *client_skdc_entry = NULL; const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL; struct samba_kdc_entry *proxy_skdc_entry = NULL; - const struct auth_user_info_dc *client_info = NULL; - const struct auth_user_info_dc *device_info = NULL; struct samba_kdc_entry_pac client_pac_entry = {}; - struct auth_claims auth_claims = {}; + struct samba_kdc_entry_pac device_pac_entry = {}; TALLOC_CTX *mem_ctx = NULL; krb5_error_code code; @@ -357,29 +355,9 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, client_skdc_entry, client_krbtgt_skdc_entry); - code = samba_kdc_get_user_info_dc(mem_ctx, - context, - kdc_db_ctx, - client_pac_entry, - &client_info, - NULL /* resource_groups_out */); - if (code != 0) { - goto out; - } - - code = samba_kdc_get_claims_data(mem_ctx, - context, - kdc_db_ctx, - client_pac_entry, - &auth_claims.user_claims); - if (code) { - goto out; - } - if (device != NULL) { struct samba_kdc_entry *device_skdc_entry = NULL; const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL; - struct samba_kdc_entry_pac device_pac_entry = {}; device_skdc_entry = talloc_get_type_abort(device->context, struct samba_kdc_entry); @@ -392,36 +370,16 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, device_pac_entry = samba_kdc_entry_pac(device_pac, device_skdc_entry, device_krbtgt_skdc_entry); - - code = samba_kdc_get_user_info_dc(mem_ctx, - context, - kdc_db_ctx, - device_pac_entry, - &device_info, - NULL /* resource_groups_out */); - if (code) { - goto out; - } - - code = samba_kdc_get_claims_data(mem_ctx, - context, - kdc_db_ctx, - device_pac_entry, - &auth_claims.device_claims); - if (code) { - goto out; - } } code = samba_kdc_check_s4u2proxy_rbcd(context, kdc_db_ctx, client->principal, server_principal, - client_info, - device_info, - auth_claims, + client_pac_entry, + device_pac_entry, proxy_skdc_entry); -out: + talloc_free(mem_ctx); return code; } diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index d788031b0dd..2f6d54d9475 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -730,46 +730,42 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from( { struct samba_kdc_entry *proxy_skdc_entry = talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry); - struct auth_user_info_dc *user_info_dc = NULL; - TALLOC_CTX *mem_ctx = NULL; + struct samba_kdc_entry_pac client_pac_entry = {}; krb5_error_code code; /* This sets the time into the DSDB opaque */ *ctx->db_ctx->current_nttime_ull = proxy_skdc_entry->current_nttime; - mem_ctx = talloc_new(NULL); - if (mem_ctx == NULL) { - return ENOMEM; - } - /* * FIXME: If ever we support RODCs, we must check that the PAC has not * been issued by an RODC (other than ourselves) — otherwise the PAC * cannot be trusted. Because the plugin interface does not give us the * client entry, we cannot look up its groups in the database. + * + * We would have to call + * code = samba_krbtgt_is_in_db(krbtgt_skdc_entry, + * &is_in_db, + * &is_trusted); + * + * But we don't have krbtgt_skdc_entry nor client_skdc_entry here, + * only a pac, which we need to trust without additional information. + * + * We also don't know if the pac comes from a trusted domain... */ - code = kerberos_pac_to_user_info_dc(mem_ctx, - header_pac, - ctx->context, - &user_info_dc, - AUTH_INCLUDE_RESOURCE_GROUPS, - NULL, - NULL, - NULL); - if (code != 0) { - goto out; - } + + client_pac_entry = samba_kdc_entry_pac_from_trusted(header_pac, + NULL, /* client_skdc_entry */ + NULL, /* krbtgt_skdc_entry */ + true); /* is_trusted */ code = samba_kdc_check_s4u2proxy_rbcd(ctx->context, ctx->db_ctx, client_principal, server_principal, - user_info_dc, - NULL /* device_info_dc */, - (struct auth_claims) {}, + client_pac_entry, + (struct samba_kdc_entry_pac) {} /* device */, proxy_skdc_entry); -out: - talloc_free(mem_ctx); + return code; } diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 0d46d03f9df..e79bcb10acf 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -3436,9 +3436,8 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( struct samba_kdc_db_context *kdc_db_ctx, krb5_const_principal client_principal, krb5_const_principal server_principal, - const struct auth_user_info_dc *user_info_dc, - const struct auth_user_info_dc *device_info_dc, - const struct auth_claims auth_claims, + struct samba_kdc_entry_pac client, + struct samba_kdc_entry_pac device, struct samba_kdc_entry *proxy_skdc_entry) { krb5_error_code code; @@ -3447,6 +3446,9 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( char *server_name = NULL; const char *proxy_dn = NULL; const DATA_BLOB *data = NULL; + const struct auth_user_info_dc *user_info_dc = NULL; + const struct auth_user_info_dc *device_info_dc = NULL; + struct auth_claims auth_claims = {}; struct security_descriptor *rbcd_security_descriptor = NULL; struct security_token *security_token = NULL; uint32_t session_info_flags = @@ -3474,6 +3476,46 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( return code; } + code = samba_kdc_get_user_info_dc(mem_ctx, + context, + kdc_db_ctx, + client, + &user_info_dc, + NULL /* resource_groups_out */); + if (code != 0) { + goto out; + } + + code = samba_kdc_get_claims_data(mem_ctx, + context, + kdc_db_ctx, + client, + &auth_claims.user_claims); + if (code) { + goto out; + } + + if (samba_kdc_entry_pac_valid_principal(device)) { + code = samba_kdc_get_user_info_dc(mem_ctx, + context, + kdc_db_ctx, + device, + &device_info_dc, + NULL /* resource_groups_out */); + if (code) { + goto out; + } + + code = samba_kdc_get_claims_data(mem_ctx, + context, + kdc_db_ctx, + device, + &auth_claims.device_claims); + if (code) { + goto out; + } + } + proxy_dn = ldb_dn_get_linearized(proxy_skdc_entry->msg->dn); if (proxy_dn == NULL) { DBG_ERR("ldb_dn_get_linearized failed for proxy_dn!\n"); diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index aac9f85f55d..441b38ae3a3 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -146,7 +146,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( struct samba_kdc_db_context *kdc_db_ctx, krb5_const_principal client_principal, krb5_const_principal server_principal, - const struct auth_user_info_dc *user_info_dc, - const struct auth_user_info_dc *device_info_dc, - const struct auth_claims auth_claims, + struct samba_kdc_entry_pac client, + struct samba_kdc_entry_pac device, struct samba_kdc_entry *proxy_skdc_entry);