return 0;
}
-static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
- krb5_context context,
- struct ldb_context *samdb,
- const enum auth_group_inclusion group_inclusion,
- const struct samba_kdc_entry_pac entry,
- struct auth_user_info_dc **info_out,
- struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out)
+static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ struct ldb_context *samdb,
+ const enum auth_group_inclusion group_inclusion,
+ const struct samba_kdc_entry_pac entry,
+ struct auth_user_info_dc **info_out,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out)
{
struct auth_user_info_dc *info = NULL;
struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_ptr = NULL;
krb5_error_code ret = 0;
NTSTATUS nt_status;
*resource_groups_out = NULL;
}
- if (samba_krb5_pac_is_trusted(entry)) {
- struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_ptr = NULL;
-
- if (resource_groups_out != NULL && group_inclusion == AUTH_EXCLUDE_RESOURCE_GROUPS) {
- /*
- * Since we are creating a TGT, resource groups from our domain
- * are not to be put into the PAC. Instead, we take the resource
- * groups directly from the original PAC and copy them
- * unmodified into the new one.
- */
- resource_groups_ptr = &resource_groups;
- }
-
- ret = kerberos_pac_to_user_info_dc(mem_ctx,
- entry.pac,
- context,
- &info,
- AUTH_EXCLUDE_RESOURCE_GROUPS,
- NULL,
- NULL,
- resource_groups_ptr);
- if (ret) {
- const char *krb5err = krb5_get_error_message(context, ret);
- DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",
- krb5err != NULL ? krb5err : "?");
- krb5_free_error_message(context, krb5err);
-
- goto out;
- }
-
+ if (resource_groups_out != NULL && group_inclusion == AUTH_EXCLUDE_RESOURCE_GROUPS) {
/*
- * We need to expand group memberships within our local domain,
- * as the token might be generated by a trusted domain.
+ * Since we are creating a TGT, resource groups from our domain
+ * are not to be put into the PAC. Instead, we take the resource
+ * groups directly from the original PAC and copy them
+ * unmodified into the new one.
*/
- nt_status = authsam_update_user_info_dc(mem_ctx,
- samdb,
- info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DBG_ERR("authsam_update_user_info_dc failed: %s\n",
- nt_errstr(nt_status));
+ resource_groups_ptr = &resource_groups;
+ }
- ret = map_errno_from_nt_status(nt_status);
- goto out;
- }
- } else {
- if (entry.entry == NULL) {
- ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
- goto out;
- }
+ ret = kerberos_pac_to_user_info_dc(mem_ctx,
+ entry.pac,
+ context,
+ &info,
+ AUTH_EXCLUDE_RESOURCE_GROUPS,
+ NULL,
+ NULL,
+ resource_groups_ptr);
+ if (ret) {
+ const char *krb5err = krb5_get_error_message(context, ret);
+ DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",
+ krb5err != NULL ? krb5err : "?");
+ krb5_free_error_message(context, krb5err);
- /*
- * In this case the RWDC discards the PAC an RODC generated.
- * Windows adds the asserted_identity in this case too.
- *
- * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
- * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
- * So we can always use
- * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
- * here.
- */
- ret = samba_kdc_get_user_info_from_db(mem_ctx,
- samdb,
- entry.entry,
- entry.entry->msg,
- &info);
- if (ret) {
- const char *krb5err = krb5_get_error_message(context, ret);
- DBG_ERR("samba_kdc_get_user_info_from_db: %s\n",
- krb5err != NULL ? krb5err : "?");
- krb5_free_error_message(context, krb5err);
+ goto out;
+ }
- ret = KRB5KDC_ERR_TGT_REVOKED;
- goto out;
- }
+ /*
+ * We need to expand group memberships within our local domain,
+ * as the token might be generated by a trusted domain.
+ */
+ nt_status = authsam_update_user_info_dc(mem_ctx,
+ samdb,
+ info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DBG_ERR("authsam_update_user_info_dc failed: %s\n",
+ nt_errstr(nt_status));
- nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
- info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DBG_ERR("Failed to add asserted identity: %s\n",
- nt_errstr(nt_status));
- ret = KRB5KDC_ERR_TGT_REVOKED;
- goto out;
- }
+ ret = map_errno_from_nt_status(nt_status);
+ goto out;
}
*info_out = info;
return ret;
}
+static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
+ krb5_context context,
+ struct ldb_context *samdb,
+ const enum auth_group_inclusion group_inclusion,
+ const struct samba_kdc_entry_pac entry,
+ struct auth_user_info_dc **info_out,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out)
+{
+ struct auth_user_info_dc *info = NULL;
+ krb5_error_code ret = 0;
+ NTSTATUS nt_status;
+
+ *info_out = NULL;
+ if (resource_groups_out != NULL) {
+ *resource_groups_out = NULL;
+ }
+
+ if (samba_krb5_pac_is_trusted(entry)) {
+ return samba_kdc_get_user_info_from_pac(mem_ctx,
+ context,
+ samdb,
+ group_inclusion,
+ entry,
+ info_out,
+ resource_groups_out);
+ }
+
+ if (entry.entry == NULL) {
+ ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+ goto out;
+ }
+
+ /*
+ * In this case the RWDC discards the PAC an RODC generated.
+ * Windows adds the asserted_identity in this case too.
+ *
+ * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
+ * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
+ * So we can always use
+ * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
+ * here.
+ */
+ ret = samba_kdc_get_user_info_from_db(mem_ctx,
+ samdb,
+ entry.entry,
+ entry.entry->msg,
+ &info);
+ if (ret) {
+ const char *krb5err = krb5_get_error_message(context, ret);
+ DBG_ERR("samba_kdc_get_user_info_from_db: %s\n",
+ krb5err != NULL ? krb5err : "?");
+ krb5_free_error_message(context, krb5err);
+
+ ret = KRB5KDC_ERR_TGT_REVOKED;
+ goto out;
+ }
+
+ nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+ info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DBG_ERR("Failed to add asserted identity: %s\n",
+ nt_errstr(nt_status));
+ ret = KRB5KDC_ERR_TGT_REVOKED;
+ goto out;
+ }
+
+ *info_out = info;
+ info = NULL;
+
+out:
+ TALLOC_FREE(info);
+
+ return ret;
+}
+
static NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,
krb5_context context,
const krb5_const_pac pac,
projects / thirdparty / samba.git / commitdiff
