s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID

samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 9b2483f5f2a453a1de78f433a541de0c613bfaab..71560b298fc94e6ca109f8a78ee775a819c225dc 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -487,7 +487,7 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
        nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
                                               skdc_entry,
                                               asserted_identity,
-                                              SAMBA_CLAIMS_VALID_INCLUDE,
+                                              SAMBA_CLAIMS_VALID_EXCLUDE,
                                               &user_info_dc);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(tmp_ctx);
@@ -498,6 +498,15 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
                return EINVAL;
        }
 
+       nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+                                              user_info_dc);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               DBG_ERR("Failed to add Claims Valid: %s\n",
+                       nt_errstr(nt_status));
+               talloc_free(tmp_ctx);
+               return EINVAL;
+       }
+
        nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
                                                  user_info_dc,
                                                  group_inclusion,

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index bde2455026577403a7015ae35fbc3fd40ca76eb5..645c0039c52b712596b827727ae058cccde96771 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2027,7 +2027,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
        nt_status = samba_kdc_get_user_info_dc(frame,
                                               device,
                                               SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-                                              SAMBA_CLAIMS_VALID_INCLUDE,
+                                              SAMBA_CLAIMS_VALID_EXCLUDE,
                                               &device_info_dc);
        if (!NT_STATUS_IS_OK(nt_status)) {
                DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -2036,6 +2036,15 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
                return KRB5KDC_ERR_TGT_REVOKED;
        }
 
+       nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+                                              device_info_dc);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               DBG_ERR("Failed to add Claims Valid: %s\n",
+                       nt_errstr(nt_status));
+               talloc_free(frame);
+               return KRB5KDC_ERR_TGT_REVOKED;
+       }
+
        nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info_dc,
                                                       AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED,
                                                       &info3,
@@ -2927,7 +2936,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
                nt_status = samba_kdc_get_user_info_dc(frame,
                                                       device,
                                                       SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-                                                      SAMBA_CLAIMS_VALID_INCLUDE,
+                                                      SAMBA_CLAIMS_VALID_EXCLUDE,
                                                       &device_info);
                if (!NT_STATUS_IS_OK(nt_status)) {
                        DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -2936,6 +2945,16 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
                        code = KRB5KDC_ERR_TGT_REVOKED;
                        goto out;
                }
+
+               nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+                                                      device_info);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       DBG_ERR("Failed to add Claims Valid: %s\n",
+                               nt_errstr(nt_status));
+
+                       code = KRB5KDC_ERR_TGT_REVOKED;
+                       goto out;
+               }
        }
 
        nt_status = authn_policy_authenticate_from_device(frame,

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 41fd32a852c1f108262e50d4444b6fe00286c887..c9e1d3fdb8978107be24b2a4672a882a45a75e1d 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -126,13 +126,22 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
        nt_status = samba_kdc_get_user_info_dc(mem_ctx,
                                               skdc_entry,
                                               asserted_identity,
-                                              SAMBA_CLAIMS_VALID_INCLUDE,
+                                              SAMBA_CLAIMS_VALID_EXCLUDE,
                                               &user_info_dc);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(mem_ctx);
                return map_errno_from_nt_status(nt_status);
        }
 
+       nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+                                              user_info_dc);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               DBG_ERR("Failed to add Claims Valid: %s\n",
+                       nt_errstr(nt_status));
+               talloc_free(mem_ctx);
+               return map_errno_from_nt_status(nt_status);
+       }
+
        /*
         * For an S4U2Self request, the authentication policy is not enforced.
         */