s4:kdc: Add ‘samba_kdc_entry_pac’ wrapper type

With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.

System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 4fb0f3f5d2b1659b414f833edfe452bbd65c1fd7..5c7f03ab7bfbcb5f5fb62dfaf7f88daa0a0dcc71 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -854,6 +854,50 @@ NTSTATUS samba_kdc_add_compounded_auth(enum samba_compounded_auth compounded_aut
        return NT_STATUS_INVALID_PARAMETER;
 }
 
+/*
+ * Return true if this entry has an associated PAC issued or signed by a KDC
+ * that our KDC trusts. We trust the main krbtgt account, but we don’t trust any
+ * RODC krbtgt besides ourselves.
+ */
+bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac)
+{
+       if (pac.pac == NULL) {
+               return false;
+       }
+
+#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
+       return krb5_pac_is_trusted(pac.pac);
+#else /* MIT */
+       return pac.pac_is_trusted;
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+}
+
+#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
+struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+                                              struct samba_kdc_entry *entry,
+                                              bool is_from_trust)
+{
+       return (struct samba_kdc_entry_pac) {
+               .entry = entry,
+               .pac = pac,
+               .is_from_trust = is_from_trust,
+       };
+}
+#else /* MIT */
+struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+                                                           struct samba_kdc_entry *entry,
+                                                           bool is_from_trust,
+                                                           bool is_trusted)
+{
+       return (struct samba_kdc_entry_pac) {
+               .entry = entry,
+               .pac = pac,
+               .is_from_trust = is_from_trust,
+               .pac_is_trusted = is_trusted,
+       };
+}
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+
 /*
  * Look up the user's info in the database and create a auth_user_info_dc
  * structure. If the resulting structure is not talloc_free()d, it will be

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index fcef7c3d7f167a5e35a11ba5902df8b40d9d3446..e52a6711a9a8130c4825501bb0455bdabe84065c 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -31,6 +31,7 @@
 #include "libcli/util/werror.h"
 #include "librpc/gen_ndr/auth.h"
 #include "kdc/samba_kdc.h"
+#include "lib/krb5_wrap/krb5_samba.h"
 
 enum samba_asserted_identity {
        SAMBA_ASSERTED_IDENTITY_IGNORE = 0,
@@ -56,6 +57,33 @@ enum {
        SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED = 0x00000040,
 };
 
+struct samba_kdc_entry_pac {
+       struct samba_kdc_entry *entry;
+       krb5_const_pac pac; /* NULL indicates that no PAC is present. */
+       bool is_from_trust : 1;
+#ifndef HAVE_KRB5_PAC_IS_TRUSTED /* MIT */
+       bool pac_is_trusted : 1;
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+};
+
+/*
+ * Return true if this entry has an associated PAC issued or signed by a KDC
+ * that our KDC trusts. We trust the main krbtgt account, but we don’t trust any
+ * RODC krbtgt besides ourselves.
+ */
+bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac);
+
+#ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
+struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
+                                              struct samba_kdc_entry *entry,
+                                              bool is_from_trust);
+#else /* MIT */
+struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
+                                                           struct samba_kdc_entry *entry,
+                                                           bool is_from_trust,
+                                                           bool is_trusted);
+#endif /* HAVE_KRB5_PAC_IS_TRUSTED */
+
 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
                                                  const krb5_keyblock *pkreplykey,
                                                  const DATA_BLOB *cred_ndr_blob,