From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Feb 2022 23:19:06 +0000 (+0100)
Subject: s4:kdc: fetch client_claims_blob from samba_kdc_get_pac_blobs()
X-Git-Tag: talloc-2.4.0~577
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f96fbe6eb1f1f0fcf6ce2d72df5cc631f427bcf1;p=thirdparty%2Fsamba.git

s4:kdc: fetch client_claims_blob from samba_kdc_get_pac_blobs()

The blob will be empty until we properly support claims.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 9ebc773137a..cd4a107154b 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -505,7 +505,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 					    &upn_dns_info_blob,
 					    is_krbtgt ? &pac_attrs_blob : NULL,
 					    PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
-					    is_krbtgt ? &requester_sid_blob : NULL);
+					    is_krbtgt ? &requester_sid_blob : NULL,
+					    NULL);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		if (NT_STATUS_EQUAL(nt_status,
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 95d86638836..5e20f296a65 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -847,7 +847,8 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
 				 DATA_BLOB **_upn_info_blob,
 				 DATA_BLOB **_pac_attrs_blob,
 				 uint64_t pac_attributes,
-				 DATA_BLOB **_requester_sid_blob)
+				 DATA_BLOB **_requester_sid_blob,
+				 DATA_BLOB **_client_claims_blob)
 {
 	struct auth_user_info_dc *user_info_dc = NULL;
 	DATA_BLOB *logon_blob = NULL;
@@ -855,6 +856,7 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
 	DATA_BLOB *upn_blob = NULL;
 	DATA_BLOB *pac_attrs_blob = NULL;
 	DATA_BLOB *requester_sid_blob = NULL;
+	DATA_BLOB *client_claims_blob = NULL;
 	NTSTATUS nt_status;
 
 	*_logon_info_blob = NULL;
@@ -868,6 +870,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
 	if (_requester_sid_blob != NULL) {
 		*_requester_sid_blob = NULL;
 	}
+	if (_client_claims_blob != NULL) {
+		*_client_claims_blob = NULL;
+	}
 
 	logon_blob = talloc_zero(mem_ctx, DATA_BLOB);
 	if (logon_blob == NULL) {
@@ -900,6 +905,19 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
 		}
 	}
 
+	if (_client_claims_blob != NULL) {
+		/*
+		 * Until we support claims we just
+		 * return an empty blob,
+		 * that matches what Windows is doing
+		 * without defined claims
+		 */
+		client_claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
+		if (client_claims_blob == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
 	nt_status = samba_kdc_get_user_info_from_db(p,
 						    p->msg,
 						    &user_info_dc);
@@ -970,6 +988,9 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
 	if (_requester_sid_blob != NULL) {
 		*_requester_sid_blob = requester_sid_blob;
 	}
+	if (_client_claims_blob != NULL) {
+		*_client_claims_blob = client_claims_blob;
+	}
 	return NT_STATUS_OK;
 }
 
@@ -1154,7 +1175,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 }
 
 static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
-					       krb5_pac pac,
+					       krb5_const_pac pac,
 					       krb5_context context,
 					       struct dom_sid *sid)
 {
@@ -1202,8 +1223,8 @@ static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
 /* Does a parse and SID check, but no crypto. */
 krb5_error_code samba_kdc_validate_pac_blob(
 		krb5_context context,
-		struct samba_kdc_entry *client_skdc_entry,
-		const krb5_pac pac)
+		const struct samba_kdc_entry *client_skdc_entry,
+		const krb5_const_pac pac)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
 	struct auth_user_info_dc *pac_user_info = NULL;
@@ -1400,6 +1421,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 	DATA_BLOB *upn_blob = NULL;
 	DATA_BLOB *deleg_blob = NULL;
 	DATA_BLOB *requester_sid_blob = NULL;
+	DATA_BLOB *client_claims_blob = NULL;
 	bool is_untrusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
 	int is_tgs = false;
 	size_t num_types = 0;
@@ -1486,7 +1508,8 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 						    &upn_blob,
 						    NULL,
 						    PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
-						    &requester_sid_blob);
+						    &requester_sid_blob,
+						    &client_claims_blob);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("samba_kdc_get_pac_blobs failed: %s\n",
 				nt_errstr(nt_status));
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 8cd0a99da80..046264cca12 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -76,7 +76,8 @@ NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
 				 DATA_BLOB **_upn_info_blob,
 				 DATA_BLOB **_pac_attrs_blob,
 				 uint64_t pac_attributes,
-				 DATA_BLOB **_requester_sid_blob);
+				 DATA_BLOB **_requester_sid_blob,
+				 DATA_BLOB **_client_claims_blob);
 NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 				   krb5_context context,
 				   struct ldb_context *samdb,
@@ -100,8 +101,8 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 
 krb5_error_code samba_kdc_validate_pac_blob(
 		krb5_context context,
-		struct samba_kdc_entry *client_skdc_entry,
-		const krb5_pac pac);
+		const struct samba_kdc_entry *client_skdc_entry,
+		const krb5_const_pac pac);
 
 /*
  * In the RODC case, to confirm that the returned user is permitted to
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index eca0a4c5155..cc6c6d1bd6b 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -134,7 +134,8 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 					    &upn_blob,
 					    is_krbtgt ? &pac_attrs_blob : NULL,
 					    pac_attributes,
-					    is_krbtgt ? &requester_sid_blob : NULL);
+					    is_krbtgt ? &requester_sid_blob : NULL,
+					    NULL);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
 		return EINVAL;