From: Joseph Sutton Date: Wed, 27 Sep 2023 03:38:23 +0000 (+1300) Subject: s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Ident... X-Git-Tag: tevent-0.16.0~270 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3c480886ade3cc58123e6d635e8af35ca11e769b;p=thirdparty%2Fsamba.git s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add an Asserted Identity SID samba_kdc_get_user_info_dc() does too much. It should be responsible only for getting account information, not for adding extra SIDs. By extracting the call to samba_kdc_add_asserted_identity() into the former function’s callers, we’ll be able to remove the ‘asserted_identity’ parameter in the next commit, reducing the function’s complexity. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index cb65b20f353..2646190fe99 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -486,7 +486,7 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx, nt_status = samba_kdc_get_user_info_dc(tmp_ctx, skdc_entry, - asserted_identity, + SAMBA_ASSERTED_IDENTITY_IGNORE, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -497,6 +497,15 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx, return EINVAL; } + nt_status = samba_kdc_add_asserted_identity(asserted_identity, + user_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("Failed to add asserted identity: %s\n", + nt_errstr(nt_status)); + talloc_free(tmp_ctx); + return EINVAL; + } + nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE, user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 80470f3eeff..0b9c58db6b7 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -1215,7 +1215,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, */ nt_status = samba_kdc_get_user_info_dc(mem_ctx, skdc_entry, - SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, + SAMBA_ASSERTED_IDENTITY_IGNORE, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", @@ -1223,6 +1223,15 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, ret = KRB5KDC_ERR_TGT_REVOKED; goto out; } + + nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, + user_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("Failed to add asserted identity: %s\n", + nt_errstr(nt_status)); + ret = KRB5KDC_ERR_TGT_REVOKED; + goto out; + } } *user_info_dc_out = user_info_dc; @@ -2016,7 +2025,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, nt_status = samba_kdc_get_user_info_dc(frame, device, - SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, + SAMBA_ASSERTED_IDENTITY_IGNORE, &device_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", @@ -2025,6 +2034,15 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, return KRB5KDC_ERR_TGT_REVOKED; } + nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, + device_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("Failed to add asserted identity: %s\n", + nt_errstr(nt_status)); + talloc_free(frame); + return KRB5KDC_ERR_TGT_REVOKED; + } + nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE, device_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { @@ -2924,7 +2942,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, } else { nt_status = samba_kdc_get_user_info_dc(frame, device, - SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, + SAMBA_ASSERTED_IDENTITY_IGNORE, &device_info); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", @@ -2934,6 +2952,16 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, goto out; } + nt_status = samba_kdc_add_asserted_identity(SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY, + device_info); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("Failed to add asserted identity: %s\n", + nt_errstr(nt_status)); + + code = KRB5KDC_ERR_TGT_REVOKED; + goto out; + } + nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE, device_info); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index e0028b18222..f63453f81b4 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -125,13 +125,22 @@ static krb5_error_code samba_wdc_get_pac(void *priv, nt_status = samba_kdc_get_user_info_dc(mem_ctx, skdc_entry, - asserted_identity, + SAMBA_ASSERTED_IDENTITY_IGNORE, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return map_errno_from_nt_status(nt_status); } + nt_status = samba_kdc_add_asserted_identity(asserted_identity, + user_info_dc); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("Failed to add asserted identity: %s\n", + nt_errstr(nt_status)); + talloc_free(mem_ctx); + return map_errno_from_nt_status(nt_status); + } + nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE, user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) {