s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc()

The latter function accomplishes most of what we were doing ourselves.

No intended change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 2e2f91ff9b5ee67238557548840ee68371c7103a..4bd6cfd2a783f1643984e8e47dd62aa0064fceeb 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -3120,7 +3120,8 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
        TALLOC_CTX *frame = NULL;
        krb5_error_code code = 0;
        NTSTATUS nt_status;
-       const struct auth_user_info_dc *device_info = NULL;
+       const struct auth_user_info_dc *device_info_const = NULL;
+       struct auth_user_info_dc *device_info_shallow_copy = NULL;
        struct authn_audit_info *client_audit_info = NULL;
 
        if (status_out != NULL) {
@@ -3159,91 +3160,17 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 
        frame = talloc_stackframe();
 
-       if (samba_krb5_pac_is_trusted(device)) {
-               struct auth_user_info_dc *device_info_pac = NULL;
-               krb5_data device_logon_info;
-
-               enum ndr_err_code ndr_err;
-               DATA_BLOB device_logon_info_blob;
-
-               union PAC_INFO pac_logon_info;
-               union netr_Validation validation;
-
-               code = krb5_pac_get_buffer(context, device.pac,
-                                          PAC_TYPE_LOGON_INFO,
-                                          &device_logon_info);
-               if (code != 0) {
-                       if (code == ENOENT) {
-                               DBG_ERR("Device PAC is missing LOGON_INFO\n");
-                       } else {
-                               DBG_ERR("Error getting LOGON_INFO from device PAC\n");
-                       }
-
-                       goto out;
-               }
-
-               device_logon_info_blob = data_blob_const(device_logon_info.data,
-                                                        device_logon_info.length);
-
-               ndr_err = ndr_pull_union_blob(&device_logon_info_blob, frame, &pac_logon_info,
-                                             PAC_TYPE_LOGON_INFO,
-                                             (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
-               smb_krb5_free_data_contents(context, &device_logon_info);
-               if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-                       nt_status = ndr_map_error2ntstatus(ndr_err);
-                       DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
-                               nt_errstr(nt_status));
-
-                       code = ndr_map_error2errno(ndr_err);
-                       goto out;
-               }
-
-               /*
-                * This does a bit of unnecessary work, setting up fields we
-                * don’t care about — we only want the SIDs.
-                */
-               validation.sam3 = &pac_logon_info.logon_info.info->info3;
-               nt_status = make_user_info_dc_netlogon_validation(frame, "", 3, &validation,
-                                                                 true, /* This user was authenticated */
-                                                                 &device_info_pac);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       code = map_errno_from_nt_status(nt_status);
-                       goto out;
-               }
-
-               /*
-                * We need to expand group memberships within our local domain,
-                * as the token might be generated by a trusted domain.
-                */
-               nt_status = authsam_update_user_info_dc(frame,
-                                                       samdb,
-                                                       device_info_pac);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       code = map_errno_from_nt_status(nt_status);
-                       goto out;
-               }
-               /*
-                * no modification required so we can assign to const variable
-                * here without a copy
-                */
-               device_info = device_info_pac;
-       } else {
-               const struct auth_user_info_dc *device_info_const = NULL;
-               struct auth_user_info_dc *device_info_shallow_copy = NULL;
-               code = samba_kdc_get_user_info_from_db(frame,
-                                                      samdb,
-                                                      device.entry,
-                                                      device.entry->msg,
-                                                      &device_info_const);
-               if (code) {
-                       const char *krb5err = krb5_get_error_message(context, code);
-                       DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
-                               krb5err != NULL ? krb5err : "<unknown>");
-                       krb5_free_error_message(context, krb5err);
-
-                       goto out;
-               }
+       code = samba_kdc_get_user_info_dc(frame,
+                                         context,
+                                         samdb,
+                                         device,
+                                         &device_info_const,
+                                         NULL);
+       if (code) {
+               goto out;
+       }
 
+       if (!samba_krb5_pac_is_trusted(device)) {
                /* Make a shallow copy of the user_info_dc structure. */
                nt_status = authsam_shallow_copy_user_info_dc(frame,
                                                              device_info_const,
@@ -3258,16 +3185,6 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
                        goto out;
                }
 
-               nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-                                                           device_info_shallow_copy);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       DBG_ERR("Failed to add asserted identity: %s\n",
-                               nt_errstr(nt_status));
-
-                       code = KRB5KDC_ERR_TGT_REVOKED;
-                       goto out;
-               }
-
                nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
                                                       device_info_shallow_copy);
                if (!NT_STATUS_IS_OK(nt_status)) {
@@ -3278,13 +3195,13 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
                        goto out;
                }
                /* no more modification required so we can assign to const now */
-               device_info = device_info_shallow_copy;
+               device_info_const = device_info_shallow_copy;
        }
 
        nt_status = authn_policy_authenticate_from_device(frame,
                                                          samdb,
                                                          lp_ctx,
-                                                         device_info,
+                                                         device_info_const,
                                                          (struct auth_claims) {},
                                                          client_policy,
                                                          &client_audit_info);