From b13701ac1810d98b43fa8fbe9fba603cddcbc286 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 10 Oct 2023 15:12:30 +1300
Subject: [PATCH] s4:kdc: Factor creation of user_info_dc out of
 samba_kdc_check_s4u2proxy_rbcd() into its callers

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/kdc/db-glue.c    | 15 +--------------
 source4/kdc/db-glue.h    |  2 +-
 source4/kdc/hdb-samba4.c | 27 +++++++++++++++++++++++++--
 source4/kdc/mit_samba.c  | 24 ++++++++++++++++++++++--
 4 files changed, 49 insertions(+), 19 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 50d49af56e4..f8535fade87 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3374,7 +3374,7 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
 		struct samba_kdc_db_context *kdc_db_ctx,
 		krb5_const_principal client_principal,
 		krb5_const_principal server_principal,
-		krb5_const_pac header_pac,
+		const struct auth_user_info_dc *user_info_dc,
 		struct samba_kdc_entry *proxy_skdc_entry)
 {
 	krb5_error_code code;
@@ -3384,7 +3384,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
 	const char *proxy_dn = NULL;
 	const DATA_BLOB *data = NULL;
 	struct security_descriptor *rbcd_security_descriptor = NULL;
-	struct auth_user_info_dc *user_info_dc = NULL;
 	struct security_token *security_token = NULL;
 	uint32_t session_info_flags =
 		AUTH_SESSION_INFO_DEFAULT_GROUPS |
@@ -3453,18 +3452,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
 		 server_name,
 		 proxy_dn);
 
-	code = kerberos_pac_to_user_info_dc(mem_ctx,
-					    header_pac,
-					    context,
-					    &user_info_dc,
-					    AUTH_INCLUDE_RESOURCE_GROUPS,
-					    NULL,
-					    NULL,
-					    NULL);
-	if (code != 0) {
-		goto out;
-	}
-
 	if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
 		session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
 	}
diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h
index f37e6e96731..b570029f573 100644
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -95,7 +95,7 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
 		struct samba_kdc_db_context *kdc_db_ctx,
 		krb5_const_principal client_principal,
 		krb5_const_principal server_principal,
-		krb5_const_pac header_pac,
+		const struct auth_user_info_dc *user_info_dc,
 		struct samba_kdc_entry *proxy_skdc_entry);
 
 NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 9b92dcb1842..706c444a0e3 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -329,18 +329,41 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
 {
 	struct samba_kdc_db_context *kdc_db_ctx = NULL;
 	struct samba_kdc_entry *proxy_skdc_entry = NULL;
+	struct auth_user_info_dc *user_info_dc = NULL;
+	TALLOC_CTX *mem_ctx = NULL;
+	krb5_error_code code;
 
 	kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 					   struct samba_kdc_db_context);
 	proxy_skdc_entry = talloc_get_type_abort(proxy->context,
 						 struct samba_kdc_entry);
 
-	return samba_kdc_check_s4u2proxy_rbcd(context,
+	mem_ctx = talloc_new(kdc_db_ctx);
+	if (mem_ctx == NULL) {
+		return ENOMEM;
+	}
+
+	code = kerberos_pac_to_user_info_dc(mem_ctx,
+					    header_pac,
+					    context,
+					    &user_info_dc,
+					    AUTH_INCLUDE_RESOURCE_GROUPS,
+					    NULL,
+					    NULL,
+					    NULL);
+	if (code != 0) {
+		goto out;
+	}
+
+	code = samba_kdc_check_s4u2proxy_rbcd(context,
 					      kdc_db_ctx,
 					      client->principal,
 					      server_principal,
-					      header_pac,
+					      user_info_dc,
 					      proxy_skdc_entry);
+out:
+	talloc_free(mem_ctx);
+	return code;
 }
 
 static krb5_error_code
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 0ce0f39be7e..ef143623481 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -831,15 +831,35 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
 {
 	struct samba_kdc_entry *proxy_skdc_entry =
 		talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
+	struct auth_user_info_dc *user_info_dc = NULL;
+	TALLOC_CTX *mem_ctx = NULL;
 	krb5_error_code code;
 
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		return ENOMEM;
+	}
+
+	code = kerberos_pac_to_user_info_dc(mem_ctx,
+					    header_pac,
+					    ctx->context,
+					    &user_info_dc,
+					    AUTH_INCLUDE_RESOURCE_GROUPS,
+					    NULL,
+					    NULL,
+					    NULL);
+	if (code != 0) {
+		goto out;
+	}
+
 	code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
 					      ctx->db_ctx,
 					      client_principal,
 					      server_principal,
-					      header_pac,
+					      user_info_dc,
 					      proxy_skdc_entry);
-
+out:
+	talloc_free(mem_ctx);
 	return code;
 }
 
-- 
2.47.3