From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 3 Oct 2023 05:45:17 +0000 (+1300)
Subject: s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc()
X-Git-Tag: tevent-0.16.0~127
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=02daf011f754c77f82bda4538e6adf5c1e205350;p=thirdparty%2Fsamba.git

s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc()

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 5920e316719..0fd7f0cca35 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1179,16 +1179,17 @@ krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
 	return 0;
 }
 
-static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
-						     krb5_context context,
-						     struct ldb_context *samdb,
-						     const enum auth_group_inclusion group_inclusion,
-						     const struct samba_kdc_entry_pac entry,
-						     struct auth_user_info_dc **info_out,
-						     struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out)
+static krb5_error_code samba_kdc_get_user_info_from_pac(TALLOC_CTX *mem_ctx,
+							krb5_context context,
+							struct ldb_context *samdb,
+							const enum auth_group_inclusion group_inclusion,
+							const struct samba_kdc_entry_pac entry,
+							struct auth_user_info_dc **info_out,
+							struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out)
 {
 	struct auth_user_info_dc *info = NULL;
 	struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
+	struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_ptr = NULL;
 	krb5_error_code ret = 0;
 	NTSTATUS nt_status;
 
@@ -1197,89 +1198,46 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
 		*resource_groups_out = NULL;
 	}
 
-	if (samba_krb5_pac_is_trusted(entry)) {
-		struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_ptr = NULL;
-
-		if (resource_groups_out != NULL && group_inclusion == AUTH_EXCLUDE_RESOURCE_GROUPS) {
-			/*
-			 * Since we are creating a TGT, resource groups from our domain
-			 * are not to be put into the PAC. Instead, we take the resource
-			 * groups directly from the original PAC and copy them
-			 * unmodified into the new one.
-			 */
-			resource_groups_ptr = &resource_groups;
-		}
-
-		ret = kerberos_pac_to_user_info_dc(mem_ctx,
-						   entry.pac,
-						   context,
-						   &info,
-						   AUTH_EXCLUDE_RESOURCE_GROUPS,
-						   NULL,
-						   NULL,
-						   resource_groups_ptr);
-		if (ret) {
-			const char *krb5err = krb5_get_error_message(context, ret);
-			DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",
-				krb5err != NULL ? krb5err : "?");
-			krb5_free_error_message(context, krb5err);
-
-			goto out;
-		}
-
+	if (resource_groups_out != NULL && group_inclusion == AUTH_EXCLUDE_RESOURCE_GROUPS) {
 		/*
-		 * We need to expand group memberships within our local domain,
-		 * as the token might be generated by a trusted domain.
+		 * Since we are creating a TGT, resource groups from our domain
+		 * are not to be put into the PAC. Instead, we take the resource
+		 * groups directly from the original PAC and copy them
+		 * unmodified into the new one.
 		 */
-		nt_status = authsam_update_user_info_dc(mem_ctx,
-							samdb,
-							info);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("authsam_update_user_info_dc failed: %s\n",
-				nt_errstr(nt_status));
+		resource_groups_ptr = &resource_groups;
+	}
 
-			ret = map_errno_from_nt_status(nt_status);
-			goto out;
-		}
-	} else {
-		if (entry.entry == NULL) {
-			ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-			goto out;
-		}
+	ret = kerberos_pac_to_user_info_dc(mem_ctx,
+					   entry.pac,
+					   context,
+					   &info,
+					   AUTH_EXCLUDE_RESOURCE_GROUPS,
+					   NULL,
+					   NULL,
+					   resource_groups_ptr);
+	if (ret) {
+		const char *krb5err = krb5_get_error_message(context, ret);
+		DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",
+			krb5err != NULL ? krb5err : "?");
+		krb5_free_error_message(context, krb5err);
 
-		/*
-		 * In this case the RWDC discards the PAC an RODC generated.
-		 * Windows adds the asserted_identity in this case too.
-		 *
-		 * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
-		 * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
-		 * So we can always use
-		 * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
-		 * here.
-		 */
-		ret = samba_kdc_get_user_info_from_db(mem_ctx,
-						      samdb,
-						      entry.entry,
-						      entry.entry->msg,
-						      &info);
-		if (ret) {
-			const char *krb5err = krb5_get_error_message(context, ret);
-			DBG_ERR("samba_kdc_get_user_info_from_db: %s\n",
-				krb5err != NULL ? krb5err : "?");
-			krb5_free_error_message(context, krb5err);
+		goto out;
+	}
 
-			ret = KRB5KDC_ERR_TGT_REVOKED;
-			goto out;
-		}
+	/*
+	 * We need to expand group memberships within our local domain,
+	 * as the token might be generated by a trusted domain.
+	 */
+	nt_status = authsam_update_user_info_dc(mem_ctx,
+						samdb,
+						info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("authsam_update_user_info_dc failed: %s\n",
+			nt_errstr(nt_status));
 
-		nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-							    info);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("Failed to add asserted identity: %s\n",
-				nt_errstr(nt_status));
-			ret = KRB5KDC_ERR_TGT_REVOKED;
-			goto out;
-		}
+		ret = map_errno_from_nt_status(nt_status);
+		goto out;
 	}
 
 	*info_out = info;
@@ -1297,6 +1255,81 @@ out:
 	return ret;
 }
 
+static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
+						     krb5_context context,
+						     struct ldb_context *samdb,
+						     const enum auth_group_inclusion group_inclusion,
+						     const struct samba_kdc_entry_pac entry,
+						     struct auth_user_info_dc **info_out,
+						     struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out)
+{
+	struct auth_user_info_dc *info = NULL;
+	krb5_error_code ret = 0;
+	NTSTATUS nt_status;
+
+	*info_out = NULL;
+	if (resource_groups_out != NULL) {
+		*resource_groups_out = NULL;
+	}
+
+	if (samba_krb5_pac_is_trusted(entry)) {
+		return samba_kdc_get_user_info_from_pac(mem_ctx,
+							context,
+							samdb,
+							group_inclusion,
+							entry,
+							info_out,
+							resource_groups_out);
+	}
+
+	if (entry.entry == NULL) {
+		ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+		goto out;
+	}
+
+	/*
+	 * In this case the RWDC discards the PAC an RODC generated.
+	 * Windows adds the asserted_identity in this case too.
+	 *
+	 * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
+	 * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
+	 * So we can always use
+	 * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
+	 * here.
+	 */
+	ret = samba_kdc_get_user_info_from_db(mem_ctx,
+					      samdb,
+					      entry.entry,
+					      entry.entry->msg,
+					      &info);
+	if (ret) {
+		const char *krb5err = krb5_get_error_message(context, ret);
+		DBG_ERR("samba_kdc_get_user_info_from_db: %s\n",
+			krb5err != NULL ? krb5err : "?");
+		krb5_free_error_message(context, krb5err);
+
+		ret = KRB5KDC_ERR_TGT_REVOKED;
+		goto out;
+	}
+
+	nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
+						    info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add asserted identity: %s\n",
+			nt_errstr(nt_status));
+		ret = KRB5KDC_ERR_TGT_REVOKED;
+		goto out;
+	}
+
+	*info_out = info;
+	info = NULL;
+
+out:
+	TALLOC_FREE(info);
+
+	return ret;
+}
+
 static NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,
 						      krb5_context context,
 						      const krb5_const_pac pac,