From: Stefan Metzmacher Date: Wed, 19 Feb 2025 13:05:51 +0000 (+0100) Subject: s4:kdc: regenerate the client claims blob in samba_kdc_update_pac() if needed X-Git-Tag: tevent-0.17.0~645 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=914533d38fcc3f923a9ccc98a5092854f782220a;p=thirdparty%2Fsamba.git s4:kdc: regenerate the client claims blob in samba_kdc_update_pac() if needed Note that samba_kdc_get_claims_data() already handles the samba_kdc_entry_pac_issued_by_trust() case to clear the claims received from a trusted domain. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 928a7fda084..f2e1f21a16c 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -2636,6 +2636,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, enum auth_group_inclusion group_inclusion; bool compounded_auth = false; bool need_device = false; + bool regenerate_client_claims = false; size_t i = 0; if (server_audit_info_out != NULL) { @@ -2697,7 +2698,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, kdc_db_ctx, client, &pac_claims.user_claims, - NULL); /* _need_regeneration */ + ®enerate_client_claims); if (code) { goto done; } @@ -2894,14 +2895,6 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, code = map_errno_from_nt_status(nt_status); goto done; } - - /* - * TODO: we need claim translation over trusts, - * for now we just clear them... - */ - if (samba_kdc_entry_pac_issued_by_trust(client)) { - client_claims_blob = &data_blob_null; - } } else { nt_status = samba_kdc_get_logon_info_blob(tmp_ctx, user_info_dc_const, @@ -2935,8 +2928,9 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, goto done; } } + } - /* Don't trust RODC-issued claims. Regenerate them. */ + if (regenerate_client_claims) { nt_status = samba_kdc_get_claims_blob(tmp_ctx, pac_claims.user_claims, &client_claims_blob);