return NT_STATUS_OK;
}
+static
+NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *info,
+ DATA_BLOB *upn_data)
+{
+ union PAC_INFO pac_upn;
+ enum ndr_err_code ndr_err;
+ NTSTATUS nt_status;
+
+ ZERO_STRUCT(pac_upn);
+
+ *upn_data = data_blob_null;
+
+ pac_upn.upn_dns_info.upn_name = info->info->user_principal_name;
+ pac_upn.upn_dns_info.dns_domain_name = strupper_talloc(mem_ctx,
+ info->info->dns_domain_name);
+ if (pac_upn.upn_dns_info.dns_domain_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ if (info->info->user_principal_constructed) {
+ pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_CONSTRUCTED;
+ }
+
+ ndr_err = ndr_push_union_blob(upn_data, mem_ctx, &pac_upn,
+ PAC_TYPE_UPN_DNS_INFO,
+ (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(1, ("PAC UPN_DNS_INFO (presig) push failed: %s\n",
+ nt_errstr(nt_status)));
+ return nt_status;
+ }
+
+ return NT_STATUS_OK;
+}
+
static
NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
const struct ldb_message *msg,
krb5_error_code samba_make_krb5_pac(krb5_context context,
const DATA_BLOB *logon_blob,
const DATA_BLOB *cred_blob,
+ const DATA_BLOB *upn_blob,
const DATA_BLOB *deleg_blob,
krb5_pac *pac)
{
krb5_data logon_data;
krb5_data cred_data;
+ krb5_data upn_data;
krb5_data deleg_data;
krb5_data null_data;
krb5_error_code ret;
}
}
+ ZERO_STRUCT(upn_data);
+ if (upn_blob != NULL) {
+ ret = krb5_copy_data_contents(&upn_data,
+ upn_blob->data,
+ upn_blob->length);
+ if (ret != 0) {
+ kerberos_free_data_contents(context, &logon_data);
+ kerberos_free_data_contents(context, &cred_data);
+ return ret;
+ }
+ }
+
ZERO_STRUCT(deleg_data);
if (deleg_blob != NULL) {
ret = krb5_copy_data_contents(&deleg_data,
if (ret != 0) {
kerberos_free_data_contents(context, &logon_data);
kerberos_free_data_contents(context, &cred_data);
+ kerberos_free_data_contents(context, &upn_data);
return ret;
}
}
if (ret != 0) {
kerberos_free_data_contents(context, &logon_data);
kerberos_free_data_contents(context, &cred_data);
+ kerberos_free_data_contents(context, &upn_data);
kerberos_free_data_contents(context, &deleg_data);
return ret;
}
ret = krb5_pac_add_buffer(context, *pac, PAC_TYPE_LOGON_INFO, &logon_data);
kerberos_free_data_contents(context, &logon_data);
if (ret != 0) {
+ kerberos_free_data_contents(context, &upn_data);
kerberos_free_data_contents(context, &cred_data);
kerberos_free_data_contents(context, &deleg_data);
return ret;
PAC_TYPE_CREDENTIAL_INFO,
&cred_data);
kerberos_free_data_contents(context, &cred_data);
+ if (ret != 0) {
+ kerberos_free_data_contents(context, &upn_data);
+ kerberos_free_data_contents(context, &deleg_data);
+ return ret;
+ }
+ }
+
+ /*
+ * null_data will be filled by the generic KDC code in the caller
+ * here we just add it in order to have it before
+ * PAC_TYPE_UPN_DNS_INFO
+ */
+ ret = krb5_pac_add_buffer(context, *pac,
+ PAC_TYPE_LOGON_NAME,
+ &null_data);
+ if (ret != 0) {
+ kerberos_free_data_contents(context, &upn_data);
+ kerberos_free_data_contents(context, &deleg_data);
+ return ret;
+ }
+
+ if (upn_blob != NULL) {
+ ret = krb5_pac_add_buffer(context, *pac,
+ PAC_TYPE_UPN_DNS_INFO,
+ &upn_data);
+ kerberos_free_data_contents(context, &upn_data);
if (ret != 0) {
kerberos_free_data_contents(context, &deleg_data);
return ret;
NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
struct samba_kdc_entry *p,
DATA_BLOB **_logon_info_blob,
- DATA_BLOB **_cred_ndr_blob)
+ DATA_BLOB **_cred_ndr_blob,
+ DATA_BLOB **_upn_info_blob)
{
struct auth_user_info_dc *user_info_dc;
DATA_BLOB *logon_blob = NULL;
DATA_BLOB *cred_blob = NULL;
+ DATA_BLOB *upn_blob = NULL;
NTSTATUS nt_status;
*_logon_info_blob = NULL;
if (_cred_ndr_blob != NULL) {
*_cred_ndr_blob = NULL;
}
+ *_upn_info_blob = NULL;
/* The user account may be set not to want the PAC */
if ( ! samba_princ_needs_pac(p)) {
}
}
+ upn_blob = talloc_zero(mem_ctx, DATA_BLOB);
+ if (upn_blob == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb,
lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx),
lpcfg_sam_name(p->kdc_db_ctx->lp_ctx),
}
}
+ nt_status = samba_get_upn_info_pac_blob(upn_blob,
+ user_info_dc,
+ upn_blob);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Building PAC UPN INFO failed: %s\n",
+ nt_errstr(nt_status)));
+ return nt_status;
+ }
+
TALLOC_FREE(user_info_dc);
*_logon_info_blob = logon_blob;
if (_cred_ndr_blob != NULL) {
*_cred_ndr_blob = cred_blob;
}
+ *_upn_info_blob = upn_blob;
return NT_STATUS_OK;
}
DATA_BLOB **_logon_info_blob)
{
NTSTATUS nt_status;
+ DATA_BLOB *upn_blob = NULL;
nt_status = samba_kdc_get_pac_blobs(mem_ctx, p,
_logon_info_blob,
- NULL);
+ NULL, /* cred_blob */
+ &upn_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+ TALLOC_FREE(upn_blob);
return NT_STATUS_OK;
}
DATA_BLOB **cred_ndr_ptr = NULL;
DATA_BLOB _cred_blob = data_blob_null;
DATA_BLOB *cred_blob = NULL;
+ DATA_BLOB *upn_blob = NULL;
krb5_error_code ret;
NTSTATUS nt_status;
struct samba_kdc_entry *skdc_entry =
nt_status = samba_kdc_get_pac_blobs(mem_ctx, skdc_entry,
&logon_blob,
- cred_ndr_ptr);
+ cred_ndr_ptr,
+ &upn_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return EINVAL;
}
ret = samba_make_krb5_pac(context, logon_blob, cred_blob,
- NULL, pac);
+ upn_blob, NULL, pac);
talloc_free(mem_ctx);
return ret;
TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context");
krb5_pac new_pac = NULL;
DATA_BLOB *pac_blob = NULL;
+ DATA_BLOB *upn_blob = NULL;
DATA_BLOB *deleg_blob = NULL;
krb5_error_code ret;
NTSTATUS nt_status;
ssize_t logon_info_idx = -1;
ssize_t delegation_idx = -1;
ssize_t logon_name_idx = -1;
+ ssize_t upn_dns_info_idx = -1;
ssize_t srv_checksum_idx = -1;
ssize_t kdc_checksum_idx = -1;
client_skdc_entry = talloc_get_type_abort(client->ctx,
struct samba_kdc_entry);
- nt_status = samba_kdc_get_pac_blob(mem_ctx, client_skdc_entry, &pac_blob);
+ nt_status = samba_kdc_get_pac_blobs(mem_ctx, client_skdc_entry,
+ &pac_blob, NULL, &upn_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return EINVAL;
}
logon_name_idx = i;
break;
+ case PAC_TYPE_UPN_DNS_INFO:
+ if (upn_dns_info_idx != -1) {
+ DEBUG(1, ("logon type[%d] twice [%d] and [%d]: \n",
+ (int)types[i],
+ (int)logon_info_idx,
+ (int)i));
+ SAFE_FREE(types);
+ talloc_free(mem_ctx);
+ return EINVAL;
+ }
+ upn_dns_info_idx = i;
+ break;
case PAC_TYPE_SRV_CHECKSUM:
if (srv_checksum_idx != -1) {
DEBUG(1, ("logon type[%d] twice [%d] and [%d]: \n",
* we just add a place holder here.
*/
type_blob = data_blob_const(&zero_byte, 1);
+
+ if (upn_dns_info_idx == -1 && upn_blob != NULL) {
+ /* inject UPN_DNS_INFO behind */
+ forced_next_type = PAC_TYPE_UPN_DNS_INFO;
+ }
+ break;
+ case PAC_TYPE_UPN_DNS_INFO:
+ /*
+ * Replace in the RODC case, otherwise
+ * upn_blob is NULL and we just copy.
+ */
+ if (upn_blob != NULL) {
+ type_blob = *upn_blob;
+ }
break;
case PAC_TYPE_SRV_CHECKSUM:
/*
projects / thirdparty / samba.git / commitdiff
