From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 13 Mar 2025 00:41:40 +0000 (+0100)
Subject: s4:kdc: store pac_princ in struct samba_kdc_entry_pac
X-Git-Tag: tevent-0.17.0~387
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6892988fbdea8b21872cf7666f88dbe9f9c98834;p=thirdparty%2Fsamba.git

s4:kdc: store pac_princ in struct samba_kdc_entry_pac

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 8a7c0b41c46..6adbbc9887f 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -881,13 +881,19 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
 					       const struct samba_kdc_entry *krbtgt)
 {
 	if (pac != NULL) {
+		SMB_ASSERT(pac_princ != NULL);
 		SMB_ASSERT(krbtgt != NULL);
+	} else {
+		pac_princ = NULL;
+		krbtgt = NULL;
+		entry = NULL;
 	}
 
 	return (struct samba_kdc_entry_pac) {
-		.entry = entry,
-		.krbtgt = krbtgt,
 		.pac = pac,
+		.pac_princ = pac_princ,
+		.krbtgt = krbtgt,
+		.entry = entry,
 	};
 }
 #else /* MIT */
@@ -898,13 +904,26 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
 							    bool is_trusted)
 {
 	if (pac != NULL) {
+		/*
+		 * TODO: we can't assert this yet,
+		 * as mit_samba_update_pac() does not
+		 * get this for cross realm clients.
+		 *
+		 * SMB_ASSERT(pac_princ != NULL);
+		 */
 		SMB_ASSERT(krbtgt != NULL);
+	} else {
+		pac_princ = NULL;
+		krbtgt = NULL;
+		entry = NULL;
+		is_trusted = false;
 	}
 
 	return (struct samba_kdc_entry_pac) {
-		.entry = entry,
-		.krbtgt = krbtgt,
 		.pac = pac,
+		.pac_princ = pac_princ,
+		.krbtgt = krbtgt,
+		.entry = entry,
 		.pac_is_trusted = is_trusted,
 	};
 }
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 114dff3756e..4d5643dff95 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -47,9 +47,22 @@ enum {
 };
 
 struct samba_kdc_entry_pac {
-	struct samba_kdc_entry *entry;
+	/*
+	 * NULL indicates that no PAC is present.
+	 *
+	 * All other fields below are also NULL.
+	 */
+	krb5_const_pac pac;
+
+	/* valid if pac is valid */
+	krb5_const_principal pac_princ;
+
+	/* valid if pac is valid */
 	const struct samba_kdc_entry *krbtgt;
-	krb5_const_pac pac; /* NULL indicates that no PAC is present. */
+
+	/* valid if pac is valid and principal is local */
+	struct samba_kdc_entry *entry;
+
 #ifndef HAVE_KRB5_PAC_IS_TRUSTED /* MIT */
 	bool pac_is_trusted : 1;
 #endif /* HAVE_KRB5_PAC_IS_TRUSTED */