s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC

author Joseph Sutton <josephsutton@catalyst.net.nz>

Tue, 7 Nov 2023 03:19:30 +0000 (16:19 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Tue, 7 Nov 2023 22:54:42 +0000 (22:54 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Tue, 7 Nov 2023 03:19:30 +0000 (16:19 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Tue, 7 Nov 2023 22:54:42 +0000 (22:54 +0000)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc

index 52d6a10de1f5b620271a8ff36c980de592638d0a..62eab29cf5c0c242e236ec4c04423b1a5ca93c68 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -35,10 +35,6 @@
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
  ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
  #
-# Extra PAC buffers tests
-#
-^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_tgs_req_from_rodc_extra_pac_buffers\(ad_dc\)$
-#
  # Protected Users tests
  #
  # This test fails, which is fine, as we have an alternate test that considers a policy error as successful.
@@ -156,14 +152,8 @@
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info_target_policy\(ad_dc\)$
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_existing_device_info\(ad_dc\)$
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_claims_valid_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims_rodc_issued\(ad_dc\)$
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims_target_policy\(ad_dc\)$
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_claims\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_existing_device_info_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_rodc_issued\(ad_dc\)$
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy\(ad_dc\)$
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_rodc_issued\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_rodc_issued\(ad_dc\)$
  ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_pac_device_info_rodc_issued\(ad_dc\)$
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c

index abd6d138af16226d7de37663dcd5a9554731c47a..12465b7644dd6951ecaef692d10ef98596cde53d 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2936,7 +2936,12 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
                         if (code != 0) {
                                 goto done;
                         }
-               } else {
+               } else if (samba_krb5_pac_is_trusted(client)) {
+                       /*
+                        * Convey the buffer from the original PAC if we can
+                        * trust it.
+                        */
+
                         code = krb5_pac_get_buffer(context,
                                                    client.pac,
                                                    type,
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Tue, 7 Nov 2023 03:19:30 +0000 (16:19 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Tue, 7 Nov 2023 22:54:42 +0000 (22:54 +0000)
selftest/knownfail_heimdal_kdc		patch \| blob \| blame \| history
source4/kdc/pac-glue.c		patch \| blob \| blame \| history