s4:kdc: Use device info to evaluate RBCD conditions

author Joseph Sutton <josephsutton@catalyst.net.nz>

Tue, 10 Oct 2023 02:40:13 +0000 (15:40 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Tue, 10 Oct 2023 02:40:13 +0000 (15:40 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c

index 48151c582d6295ce25c34e72c7b741f507222dfb..33b758f74904a71fb6585919fcd9a010854bddf6 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -333,6 +333,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
         const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL;
         struct samba_kdc_entry *proxy_skdc_entry = NULL;
         const struct auth_user_info_dc *client_info = NULL;
+       const struct auth_user_info_dc *device_info = NULL;
         struct samba_kdc_entry_pac client_pac_entry = {};
         TALLOC_CTX *mem_ctx = NULL;
         krb5_error_code code;
@@ -365,12 +366,40 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db,
                 goto out;
         }
  
+       if (device != NULL) {
+               struct samba_kdc_entry *device_skdc_entry = NULL;
+               const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
+               struct samba_kdc_entry_pac device_pac_entry = {};
+
+               device_skdc_entry = talloc_get_type_abort(device->context,
+                                                         struct samba_kdc_entry);
+
+               if (device_krbtgt != NULL) {
+                       device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
+                                                                        struct samba_kdc_entry);
+               }
+
+               device_pac_entry = samba_kdc_entry_pac(device_pac,
+                                                      device_skdc_entry,
+                                                      samba_kdc_entry_is_trust(device_krbtgt_skdc_entry));
+
+               code = samba_kdc_get_user_info_dc(mem_ctx,
+                                                 context,
+                                                 kdc_db_ctx->samdb,
+                                                 device_pac_entry,
+                                                 &device_info,
+                                                 NULL /* resource_groups_out */);
+               if (code) {
+                       goto out;
+               }
+       }
+
         code = samba_kdc_check_s4u2proxy_rbcd(context,
                                               kdc_db_ctx,
                                               client->principal,
                                               server_principal,
                                               client_info,
-                                             NULL /* device_info_dc */,
+                                             device_info,
                                               (struct auth_claims) {},
                                               proxy_skdc_entry);
  out:
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Tue, 10 Oct 2023 02:40:13 +0000 (15:40 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 12 Oct 2023 23:13:32 +0000 (23:13 +0000)