From: Stefan Metzmacher Date: Thu, 20 Feb 2025 15:22:43 +0000 (+0100) Subject: s4:kdc: rewrite the logic in samba_kdc_get_claims_data() X-Git-Tag: tevent-0.17.0~647 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff5548e4e1bfc3c2936f8e2742822d32078af9f4;p=thirdparty%2Fsamba.git s4:kdc: rewrite the logic in samba_kdc_get_claims_data() We should also go via samba_kdc_get_claims_data_from_pac() if the pack was issued by a trust. But for now we still clear the claims, which is the default if msDS-IngressClaimsTransformationPolicy is missing on the trustedDomain object. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 1a0359aef58..978698cae66 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -3152,35 +3152,47 @@ krb5_error_code samba_kdc_get_claims_data(TALLOC_CTX *mem_ctx, struct samba_kdc_entry_pac entry, struct claims_data **claims_data_out) { - if (samba_kdc_entry_pac_issued_by_trust(entry)) { + bool was_found = false; + krb5_error_code code; + + if (!samba_krb5_pac_is_trusted(entry)) { + return samba_kdc_get_claims_data_from_db(kdc_db_ctx->samdb, + entry.entry, + claims_data_out); + } + + code = samba_kdc_get_claims_data_from_pac(mem_ctx, + context, + entry, + claims_data_out, + &was_found); + if (code != 0) { + return code; + } + + if (was_found && samba_kdc_entry_pac_issued_by_trust(entry)) { NTSTATUS status; /* - * TODO: we need claim translation over trusts; for now we just - * clear them… + * TODO: We need to evalate + * msDS-IngressClaimsTransformationPolicy + * + * For now we just clear them, which + * is the default policy for incoming + * trusts. That is the same as an + * explicit empty rule, that filters out + * all claims. */ + TALLOC_FREE(*claims_data_out); status = claims_data_from_encoded_claims_set(mem_ctx, NULL, claims_data_out); if (!NT_STATUS_IS_OK(status)) { return map_errno_from_nt_status(status); } - - return 0; - } - - if (samba_krb5_pac_is_trusted(entry)) { - bool was_found = false; - return samba_kdc_get_claims_data_from_pac(mem_ctx, - context, - entry, - claims_data_out, - &was_found); } - return samba_kdc_get_claims_data_from_db(kdc_db_ctx->samdb, - entry.entry, - claims_data_out); + return 0; } static @@ -3203,11 +3215,6 @@ krb5_error_code samba_kdc_get_claims_data_from_pac(TALLOC_CTX *mem_ctx, goto out; } - if (samba_kdc_entry_pac_issued_by_trust(entry)) { - code = EINVAL; - goto out; - } - if (claims_data_out == NULL) { code = EINVAL; goto out;