s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into...

author Joseph Sutton <josephsutton@catalyst.net.nz>

Tue, 10 Oct 2023 02:12:30 +0000 (15:12 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Tue, 10 Oct 2023 02:12:30 +0000 (15:12 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c

index 50d49af56e47b2d9f0cb1402210a1596d9eaf16f..f8535fade87a9236e7297f9c31b0b866a604e867 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3374,7 +3374,7 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
                 struct samba_kdc_db_context *kdc_db_ctx,
                 krb5_const_principal client_principal,
                 krb5_const_principal server_principal,
-               krb5_const_pac header_pac,
+               const struct auth_user_info_dc *user_info_dc,
                 struct samba_kdc_entry *proxy_skdc_entry)
  {
         krb5_error_code code;
@@ -3384,7 +3384,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
         const char *proxy_dn = NULL;
         const DATA_BLOB *data = NULL;
         struct security_descriptor *rbcd_security_descriptor = NULL;
-       struct auth_user_info_dc *user_info_dc = NULL;
         struct security_token *security_token = NULL;
         uint32_t session_info_flags =
                 AUTH_SESSION_INFO_DEFAULT_GROUPS |
@@ -3453,18 +3452,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
                  server_name,
                  proxy_dn);
  
-       code = kerberos_pac_to_user_info_dc(mem_ctx,
-                                           header_pac,
-                                           context,
-                                           &user_info_dc,
-                                           AUTH_INCLUDE_RESOURCE_GROUPS,
-                                           NULL,
-                                           NULL,
-                                           NULL);
-       if (code != 0) {
-               goto out;
-       }
-
         if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
         }
diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h

index f37e6e967310d146485c1c9fcb59efbc5146c60a..b570029f5734d7246f864a3b928e9fe4621d3b20 100644 (file)
--- a/source4/kdc/db-glue.h
+++ b/source4/kdc/db-glue.h
@@ -95,7 +95,7 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
                 struct samba_kdc_db_context *kdc_db_ctx,
                 krb5_const_principal client_principal,
                 krb5_const_principal server_principal,
-               krb5_const_pac header_pac,
+               const struct auth_user_info_dc *user_info_dc,
                 struct samba_kdc_entry *proxy_skdc_entry);
  
  NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c

index 9b92dcb18429e91bb4a96fd4e3b41a273cd551c4..706c444a0e32b47ecd72f32e54d47a4dca9acd4e 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -329,18 +329,41 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
  {
         struct samba_kdc_db_context *kdc_db_ctx = NULL;
         struct samba_kdc_entry *proxy_skdc_entry = NULL;
+       struct auth_user_info_dc *user_info_dc = NULL;
+       TALLOC_CTX *mem_ctx = NULL;
+       krb5_error_code code;
  
         kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
                                            struct samba_kdc_db_context);
         proxy_skdc_entry = talloc_get_type_abort(proxy->context,
                                                  struct samba_kdc_entry);
  
-       return samba_kdc_check_s4u2proxy_rbcd(context,
+       mem_ctx = talloc_new(kdc_db_ctx);
+       if (mem_ctx == NULL) {
+               return ENOMEM;
+       }
+
+       code = kerberos_pac_to_user_info_dc(mem_ctx,
+                                           header_pac,
+                                           context,
+                                           &user_info_dc,
+                                           AUTH_INCLUDE_RESOURCE_GROUPS,
+                                           NULL,
+                                           NULL,
+                                           NULL);
+       if (code != 0) {
+               goto out;
+       }
+
+       code = samba_kdc_check_s4u2proxy_rbcd(context,
                                               kdc_db_ctx,
                                               client->principal,
                                               server_principal,
-                                             header_pac,
+                                             user_info_dc,
                                               proxy_skdc_entry);
+out:
+       talloc_free(mem_ctx);
+       return code;
  }
  
  static krb5_error_code
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c

index 0ce0f39be7e0459bd85472e6169169c770fbb607..ef1436234812b4407779fec99576db215faa4e28 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -831,15 +831,35 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
  {
         struct samba_kdc_entry *proxy_skdc_entry =
                 talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
+       struct auth_user_info_dc *user_info_dc = NULL;
+       TALLOC_CTX *mem_ctx = NULL;
         krb5_error_code code;
  
+       mem_ctx = talloc_new(NULL);
+       if (mem_ctx == NULL) {
+               return ENOMEM;
+       }
+
+       code = kerberos_pac_to_user_info_dc(mem_ctx,
+                                           header_pac,
+                                           ctx->context,
+                                           &user_info_dc,
+                                           AUTH_INCLUDE_RESOURCE_GROUPS,
+                                           NULL,
+                                           NULL,
+                                           NULL);
+       if (code != 0) {
+               goto out;
+       }
+
         code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
                                               ctx->db_ctx,
                                               client_principal,
                                               server_principal,
-                                             header_pac,
+                                             user_info_dc,
                                               proxy_skdc_entry);
-
+out:
+       talloc_free(mem_ctx);
         return code;
  }
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Tue, 10 Oct 2023 02:12:30 +0000 (15:12 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
source4/kdc/db-glue.c		patch \| blob \| blame \| history
source4/kdc/db-glue.h		patch \| blob \| blame \| history
source4/kdc/hdb-samba4.c		patch \| blob \| blame \| history
source4/kdc/mit_samba.c		patch \| blob \| blame \| history