s4:kdc: Implement Object SID certificate security extension

author Jennifer Sutton <jennifersutton@catalyst.net.nz>

Mon, 25 Aug 2025 00:40:09 +0000 (12:40 +1200)

committer Jennifer Sutton <jsutton@samba.org>

Wed, 22 Oct 2025 23:59:36 +0000 (23:59 +0000)
author Jennifer Sutton <jennifersutton@catalyst.net.nz>
Mon, 25 Aug 2025 00:40:09 +0000 (12:40 +1200)
committer Jennifer Sutton <jsutton@samba.org>
Wed, 22 Oct 2025 23:59:36 +0000 (23:59 +0000)
diff --git a/selftest/knownfail_heimdal_kdc.d/sid-extension b/selftest/knownfail_heimdal_kdc.d/sid-extension

deleted file mode 100644 (file)

index 007e537..0000000
--- a/selftest/knownfail_heimdal_kdc.d/sid-extension
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.PkInitCertificateMappingTests\.test_object_sid\(ad_dc_ntvfs\)
-^samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.PkInitCertificateMappingTests\.test_object_sid\(ad_dc_smb1\)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c

index 6bdce0f3363fdc67318644c87183e6b72bdcb68c..aa3418c48db6ecd336ede5f08b8b37e9ece44c3d 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1934,7 +1934,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
         NTTIME acct_expiry;
         NTSTATUS status;
         bool protected_user = false;
-       struct dom_sid sid;
         uint32_t rid;
         bool is_krbtgt = false;
         bool is_rodc = false;
@@ -2161,11 +2160,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
  
         /* The lack of password controls etc applies to krbtgt by
          * virtue of being that particular RID */
-       ret = samdb_result_dom_sid_buf(msg, "objectSid", &sid);
+       ret = samdb_result_dom_sid_buf(msg, "objectSid", &entry->sid);
         if (ret) {
                 goto out;
         }
-       status = dom_sid_split_rid(NULL, &sid, NULL, &rid);
+       status = dom_sid_split_rid(NULL, &entry->sid, NULL, &rid);
         if (!NT_STATUS_IS_OK(status)) {
                 ret = EINVAL;
                 goto out;
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h

index 6211184e2a2cf30d76f46a47f28ecff19d9c069f..6026ed86468b8347a63404907c47fa378d092c12 100644 (file)
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -24,6 +24,8 @@
  #ifndef _KDC_SDB_H_
  #define _KDC_SDB_H_
  
+#include "librpc/gen_ndr/security.h"
+
  struct sdb_salt {
         unsigned int type;
         krb5_data salt;
@@ -133,6 +135,7 @@ struct sdb_entry {
         struct SDBFlags flags;
         struct sdb_pub_keys pub_keys;
         struct sdb_certificate_mappings mappings;
+       struct dom_sid sid;
  };
  
  #define SDB_ERR_NOENTRY 36150275
diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c

index 3e89adea9d0f0bd2a3d2deb1ad3d337856b2b800..7845f93cc492d99ab055bd4115e09ce35194bd8c 100644 (file)
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -26,6 +26,7 @@
  #include <hdb.h>
  #include <krb5.h>
  #include <hx_locl.h>
+#include "libcli/security/dom_sid.h"
  #include "rfc2459_asn1.h"
  #include "sdb.h"
  #include "sdb_hdb.h"
@@ -662,6 +663,44 @@ int sdb_entry_to_hdb_entry(krb5_context context,
                 }
         }
  
+       {
+               HDB_extension ext;
+               ObjectSid src_sid;
+               ObjectSid object_sid;
+               struct dom_sid_buf sid_buf;
+               char *sid_str = NULL;
+
+               sid_str = dom_sid_str_buf(&s->sid, &sid_buf);
+               if (sid_str == NULL) {
+                       rc = ENOMEM;
+                       goto error;
+               }
+
+               src_sid = (ObjectSid)
+               {
+                       .data = sid_str,
+                       .length = strlen(sid_str),
+               };
+
+               rc = der_copy_octet_string(&src_sid, &object_sid);
+               if (rc != 0) {
+                       goto error;
+               }
+
+               ext = (HDB_extension){
+                       .mandatory = FALSE,
+                       .data = {
+                               .element = choice_HDB_extension_data_object_sid,
+                               .u.object_sid = object_sid,
+                       }};
+
+               rc = hdb_replace_extension(context, h, &ext);
+               free_ObjectSid(&object_sid);
+               if (rc != 0) {
+                       goto error;
+               }
+       }
+
         h->context = ske;
         if (ske != NULL) {
                 ske->kdc_entry = h;
author	Jennifer Sutton <jennifersutton@catalyst.net.nz>
	Mon, 25 Aug 2025 00:40:09 +0000 (12:40 +1200)
committer	Jennifer Sutton <jsutton@samba.org>
	Wed, 22 Oct 2025 23:59:36 +0000 (23:59 +0000)
selftest/knownfail_heimdal_kdc.d/sid-extension	[deleted file]	patch \| blob \| blame \| history
source4/kdc/db-glue.c		patch \| blob \| blame \| history
source4/kdc/sdb.h		patch \| blob \| blame \| history
source4/kdc/sdb_to_hdb.c		patch \| blob \| blame \| history