From: Jennifer Sutton Date: Mon, 25 Aug 2025 00:40:09 +0000 (+1200) Subject: s4:kdc: Implement Object SID certificate security extension X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=15285bc2b268d65ff6dca3849e8da4e69da03ab5;p=thirdparty%2Fsamba.git s4:kdc: Implement Object SID certificate security extension Signed-off-by: Jennifer Sutton Reviewed-by: Gary Lockyer --- diff --git a/selftest/knownfail_heimdal_kdc.d/sid-extension b/selftest/knownfail_heimdal_kdc.d/sid-extension deleted file mode 100644 index 007e53703b7..00000000000 --- a/selftest/knownfail_heimdal_kdc.d/sid-extension +++ /dev/null @@ -1,2 +0,0 @@ -^samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.PkInitCertificateMappingTests\.test_object_sid\(ad_dc_ntvfs\) -^samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.samba\.tests\.krb5\.pkinit_certificate_mapping_tests\.PkInitCertificateMappingTests\.test_object_sid\(ad_dc_smb1\) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 6bdce0f3363..aa3418c48db 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1934,7 +1934,6 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, NTTIME acct_expiry; NTSTATUS status; bool protected_user = false; - struct dom_sid sid; uint32_t rid; bool is_krbtgt = false; bool is_rodc = false; @@ -2161,11 +2160,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* The lack of password controls etc applies to krbtgt by * virtue of being that particular RID */ - ret = samdb_result_dom_sid_buf(msg, "objectSid", &sid); + ret = samdb_result_dom_sid_buf(msg, "objectSid", &entry->sid); if (ret) { goto out; } - status = dom_sid_split_rid(NULL, &sid, NULL, &rid); + status = dom_sid_split_rid(NULL, &entry->sid, NULL, &rid); if (!NT_STATUS_IS_OK(status)) { ret = EINVAL; goto out; diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h index 6211184e2a2..6026ed86468 100644 --- a/source4/kdc/sdb.h +++ b/source4/kdc/sdb.h @@ -24,6 +24,8 @@ #ifndef _KDC_SDB_H_ #define _KDC_SDB_H_ +#include "librpc/gen_ndr/security.h" + struct sdb_salt { unsigned int type; krb5_data salt; @@ -133,6 +135,7 @@ struct sdb_entry { struct SDBFlags flags; struct sdb_pub_keys pub_keys; struct sdb_certificate_mappings mappings; + struct dom_sid sid; }; #define SDB_ERR_NOENTRY 36150275 diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c index 3e89adea9d0..7845f93cc49 100644 --- a/source4/kdc/sdb_to_hdb.c +++ b/source4/kdc/sdb_to_hdb.c @@ -26,6 +26,7 @@ #include #include #include +#include "libcli/security/dom_sid.h" #include "rfc2459_asn1.h" #include "sdb.h" #include "sdb_hdb.h" @@ -662,6 +663,44 @@ int sdb_entry_to_hdb_entry(krb5_context context, } } + { + HDB_extension ext; + ObjectSid src_sid; + ObjectSid object_sid; + struct dom_sid_buf sid_buf; + char *sid_str = NULL; + + sid_str = dom_sid_str_buf(&s->sid, &sid_buf); + if (sid_str == NULL) { + rc = ENOMEM; + goto error; + } + + src_sid = (ObjectSid) + { + .data = sid_str, + .length = strlen(sid_str), + }; + + rc = der_copy_octet_string(&src_sid, &object_sid); + if (rc != 0) { + goto error; + } + + ext = (HDB_extension){ + .mandatory = FALSE, + .data = { + .element = choice_HDB_extension_data_object_sid, + .u.object_sid = object_sid, + }}; + + rc = hdb_replace_extension(context, h, &ext); + free_ObjectSid(&object_sid); + if (rc != 0) { + goto error; + } + } + h->context = ske; if (ske != NULL) { ske->kdc_entry = h;