From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 5 Oct 2023 03:11:57 +0000 (+1300)
Subject: s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc()
X-Git-Tag: tevent-0.16.0~107
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65a6676cc43381948b02fc5d740d0e727c299e24;p=thirdparty%2Fsamba.git

s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc()

The latter function accomplishes most of what we were doing ourselves.

No intended change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 2e2f91ff9b5..4bd6cfd2a78 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -3120,7 +3120,8 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 	TALLOC_CTX *frame = NULL;
 	krb5_error_code code = 0;
 	NTSTATUS nt_status;
-	const struct auth_user_info_dc *device_info = NULL;
+	const struct auth_user_info_dc *device_info_const = NULL;
+	struct auth_user_info_dc *device_info_shallow_copy = NULL;
 	struct authn_audit_info *client_audit_info = NULL;
 
 	if (status_out != NULL) {
@@ -3159,91 +3160,17 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 
 	frame = talloc_stackframe();
 
-	if (samba_krb5_pac_is_trusted(device)) {
-		struct auth_user_info_dc *device_info_pac = NULL;
-		krb5_data device_logon_info;
-
-		enum ndr_err_code ndr_err;
-		DATA_BLOB device_logon_info_blob;
-
-		union PAC_INFO pac_logon_info;
-		union netr_Validation validation;
-
-		code = krb5_pac_get_buffer(context, device.pac,
-					   PAC_TYPE_LOGON_INFO,
-					   &device_logon_info);
-		if (code != 0) {
-			if (code == ENOENT) {
-				DBG_ERR("Device PAC is missing LOGON_INFO\n");
-			} else {
-				DBG_ERR("Error getting LOGON_INFO from device PAC\n");
-			}
-
-			goto out;
-		}
-
-		device_logon_info_blob = data_blob_const(device_logon_info.data,
-							 device_logon_info.length);
-
-		ndr_err = ndr_pull_union_blob(&device_logon_info_blob, frame, &pac_logon_info,
-					      PAC_TYPE_LOGON_INFO,
-					      (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
-		smb_krb5_free_data_contents(context, &device_logon_info);
-		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-			nt_status = ndr_map_error2ntstatus(ndr_err);
-			DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
-				nt_errstr(nt_status));
-
-			code = ndr_map_error2errno(ndr_err);
-			goto out;
-		}
-
-		/*
-		 * This does a bit of unnecessary work, setting up fields we
-		 * donât care about â we only want the SIDs.
-		 */
-		validation.sam3 = &pac_logon_info.logon_info.info->info3;
-		nt_status = make_user_info_dc_netlogon_validation(frame, "", 3, &validation,
-								  true, /* This user was authenticated */
-								  &device_info_pac);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			code = map_errno_from_nt_status(nt_status);
-			goto out;
-		}
-
-		/*
-		 * We need to expand group memberships within our local domain,
-		 * as the token might be generated by a trusted domain.
-		 */
-		nt_status = authsam_update_user_info_dc(frame,
-							samdb,
-							device_info_pac);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			code = map_errno_from_nt_status(nt_status);
-			goto out;
-		}
-		/*
-		 * no modification required so we can assign to const variable
-		 * here without a copy
-		 */
-		device_info = device_info_pac;
-	} else {
-		const struct auth_user_info_dc *device_info_const = NULL;
-		struct auth_user_info_dc *device_info_shallow_copy = NULL;
-		code = samba_kdc_get_user_info_from_db(frame,
-						       samdb,
-						       device.entry,
-						       device.entry->msg,
-						       &device_info_const);
-		if (code) {
-			const char *krb5err = krb5_get_error_message(context, code);
-			DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
-				krb5err != NULL ? krb5err : "<unknown>");
-			krb5_free_error_message(context, krb5err);
-
-			goto out;
-		}
+	code = samba_kdc_get_user_info_dc(frame,
+					  context,
+					  samdb,
+					  device,
+					  &device_info_const,
+					  NULL);
+	if (code) {
+		goto out;
+	}
 
+	if (!samba_krb5_pac_is_trusted(device)) {
 		/* Make a shallow copy of the user_info_dc structure. */
 		nt_status = authsam_shallow_copy_user_info_dc(frame,
 							      device_info_const,
@@ -3258,16 +3185,6 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 			goto out;
 		}
 
-		nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-							    device_info_shallow_copy);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("Failed to add asserted identity: %s\n",
-				nt_errstr(nt_status));
-
-			code = KRB5KDC_ERR_TGT_REVOKED;
-			goto out;
-		}
-
 		nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
 						       device_info_shallow_copy);
 		if (!NT_STATUS_IS_OK(nt_status)) {
@@ -3278,13 +3195,13 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 			goto out;
 		}
 		/* no more modification required so we can assign to const now */
-		device_info = device_info_shallow_copy;
+		device_info_const = device_info_shallow_copy;
 	}
 
 	nt_status = authn_policy_authenticate_from_device(frame,
 							  samdb,
 							  lp_ctx,
-							  device_info,
+							  device_info_const,
 							  (struct auth_claims) {},
 							  client_policy,
 							  &client_audit_info);
