From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 31 Oct 2023 01:50:12 +0000 (+1300)
Subject: s4:kdc: Do not add Claims Valid SID twice
X-Git-Tag: talloc-2.4.2~921
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6760dd48ad0c0e7e003c1911a79535d144655126;p=thirdparty%2Fsamba.git

s4:kdc: Do not add Claims Valid SID twice

samba_kdc_get_user_info_dc() now adds the SID itself.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 17c01928f9d..59492766a47 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -3182,8 +3182,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 	TALLOC_CTX *frame = NULL;
 	krb5_error_code code = 0;
 	NTSTATUS nt_status;
-	const struct auth_user_info_dc *device_info_const = NULL;
-	struct auth_user_info_dc *device_info_shallow_copy = NULL;
+	const struct auth_user_info_dc *device_info = NULL;
 	struct authn_audit_info *client_audit_info = NULL;
 	struct auth_claims auth_claims = {};
 
@@ -3227,39 +3226,12 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 					  context,
 					  samdb,
 					  device,
-					  &device_info_const,
+					  &device_info,
 					  NULL);
 	if (code) {
 		goto out;
 	}
 
-	if (!samba_krb5_pac_is_trusted(device)) {
-		/* Make a shallow copy of the user_info_dc structure. */
-		nt_status = authsam_shallow_copy_user_info_dc(frame,
-							      device_info_const,
-							      &device_info_shallow_copy);
-		device_info_const = NULL;
-
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("Failed to copy user_info_dc: %s\n",
-				nt_errstr(nt_status));
-
-			code = KRB5KDC_ERR_TGT_REVOKED;
-			goto out;
-		}
-
-		nt_status = samba_kdc_add_claims_valid(device_info_shallow_copy);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DBG_ERR("Failed to add Claims Valid: %s\n",
-				nt_errstr(nt_status));
-
-			code = KRB5KDC_ERR_TGT_REVOKED;
-			goto out;
-		}
-		/* no more modification required so we can assign to const now */
-		device_info_const = device_info_shallow_copy;
-	}
-
 	/*
 	 * The device claims become the *user* claims for the purpose of
 	 * evaluating a conditional ACE expression.
@@ -3276,7 +3248,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 	nt_status = authn_policy_authenticate_from_device(frame,
 							  samdb,
 							  lp_ctx,
-							  device_info_const,
+							  device_info,
 							  auth_claims,
 							  client_policy,
 							  &client_audit_info);