From: Joseph Sutton Date: Wed, 27 Sep 2023 22:43:57 +0000 (+1300) Subject: s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type X-Git-Tag: tevent-0.16.0~256 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=77b35c423eef521dcebc617e59fdbe5031f6808c;p=thirdparty%2Fsamba.git s4:kdc: Make use of ‘samba_kdc_entry_pac’ wrapper type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 2ca31676c61..7410c9c5886 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -610,6 +610,7 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, struct samba_kdc_entry *client_skdc_entry = NULL; struct samba_kdc_entry *server_skdc_entry = NULL; struct samba_kdc_entry *krbtgt_skdc_entry = NULL; + struct samba_kdc_entry_pac client_pac_entry = {}; bool is_in_db = false; bool is_trusted = false; uint32_t flags = 0; @@ -658,10 +659,6 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, goto done; } - if (is_trusted) { - flags |= SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED; - } - if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION; } @@ -670,12 +667,16 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION; } + client_pac_entry = samba_kdc_entry_pac_from_trusted(old_pac, + client_skdc_entry, + samba_kdc_entry_is_trust(krbtgt_skdc_entry), + is_trusted); + code = samba_kdc_verify_pac(tmp_ctx, context, flags, - client_skdc_entry, - krbtgt_skdc_entry, - old_pac); + client_pac_entry, + krbtgt_skdc_entry); if (code != 0) { goto done; } @@ -685,17 +686,12 @@ krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, krbtgt_skdc_entry->kdc_db_ctx->samdb, krbtgt_skdc_entry->kdc_db_ctx->lp_ctx, flags, - krbtgt_skdc_entry, - client_skdc_entry, + client_pac_entry, server->princ, server_skdc_entry, NULL /* delegated_proxy_principal */, - NULL /* delegated_proxy */, - NULL /* delegated_proxy_pac */, - NULL /* device_krbtgt */, - NULL /* device */, - NULL /* device_pac */, - old_pac, + (struct samba_kdc_entry_pac) {} /* delegated_proxy */, + (struct samba_kdc_entry_pac) {} /* device */, new_pac, NULL /* server_audit_info_out */, NULL /* status_out */); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index c122a9b46c5..279f4dc1397 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -903,6 +903,11 @@ struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac, } #endif /* HAVE_KRB5_PAC_IS_TRUSTED */ +static bool samba_kdc_entry_pac_issued_by_trust(const struct samba_kdc_entry_pac entry) +{ + return entry.pac != NULL && entry.is_from_trust; +} + /* * Look up the user's info in the database and create a auth_user_info_dc * structure. If the resulting structure is not talloc_free()d, it will be @@ -1177,9 +1182,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, krb5_context context, struct ldb_context *samdb, const enum auth_group_inclusion group_inclusion, - struct samba_kdc_entry *skdc_entry, - const krb5_const_pac pac, - const bool pac_is_trusted, + const struct samba_kdc_entry_pac entry, struct auth_user_info_dc **user_info_dc_out, struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out) { @@ -1192,7 +1195,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, *resource_groups_out = NULL; } - if (pac != NULL && pac_is_trusted) { + if (samba_krb5_pac_is_trusted(entry)) { struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups = NULL; if (group_inclusion == AUTH_EXCLUDE_RESOURCE_GROUPS) { @@ -1206,7 +1209,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, } ret = kerberos_pac_to_user_info_dc(mem_ctx, - pac, + entry.pac, context, &user_info_dc, AUTH_EXCLUDE_RESOURCE_GROUPS, @@ -1237,7 +1240,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, goto out; } } else { - if (skdc_entry == NULL) { + if (entry.entry == NULL) { ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } @@ -1253,7 +1256,7 @@ static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx, * here. */ nt_status = samba_kdc_get_user_info_dc(mem_ctx, - skdc_entry, + entry.entry, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", @@ -1481,8 +1484,7 @@ out: /* Does a parse and SID check, but no crypto. */ static krb5_error_code samba_kdc_validate_pac_blob( krb5_context context, - const struct samba_kdc_entry *client_skdc_entry, - const krb5_const_pac pac) + const struct samba_kdc_entry_pac client) { TALLOC_CTX *frame = talloc_stackframe(); struct auth_user_info_dc *pac_user_info = NULL; @@ -1494,7 +1496,7 @@ static krb5_error_code samba_kdc_validate_pac_blob( /* * First, try to get the SID from the requester SID buffer in the PAC. */ - code = samba_get_requester_sid(frame, pac, context, &pac_sid); + code = samba_get_requester_sid(frame, client.pac, context, &pac_sid); if (code == ENOENT) { /* @@ -1502,7 +1504,7 @@ static krb5_error_code samba_kdc_validate_pac_blob( * SID in the LOGON_INFO PAC buffer. */ code = kerberos_pac_to_user_info_dc(frame, - pac, + client.pac, context, &pac_user_info, AUTH_EXCLUDE_RESOURCE_GROUPS, @@ -1523,7 +1525,7 @@ static krb5_error_code samba_kdc_validate_pac_blob( goto out; } - code = samdb_result_dom_sid_buf(client_skdc_entry->msg, + code = samdb_result_dom_sid_buf(client.entry->msg, "objectSid", &client_sid); if (code) { @@ -2126,26 +2128,22 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx, * * @param flags Bitwise OR'ed flags * - * @param client The client samba kdc entry. + * @param client The client samba kdc PAC entry. * @param krbtgt The krbtgt samba kdc entry. * - * @param pac The PAC - * @return A Kerberos error code. */ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, krb5_context context, uint32_t flags, - struct samba_kdc_entry *client, - const struct samba_kdc_entry *krbtgt, - const krb5_const_pac pac) + const struct samba_kdc_entry_pac client, + const struct samba_kdc_entry *krbtgt) { TALLOC_CTX *tmp_ctx = NULL; struct pac_blobs *pac_blobs = NULL; krb5_error_code code = EINVAL; NTSTATUS nt_status; - bool is_trusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -2153,32 +2151,32 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, goto done; } - if (client != NULL) { + if (client.entry != NULL) { /* * Check the objectSID of the client and pac data are the same. * Does a parse and SID check, but no crypto. */ - code = samba_kdc_validate_pac_blob(context, - client, - pac); + code = samba_kdc_validate_pac_blob(context, client); if (code != 0) { goto done; } } - if (!is_trusted) { + if (!samba_krb5_pac_is_trusted(client)) { const struct auth_user_info_dc *user_info_dc = NULL; WERROR werr; struct dom_sid *object_sids = NULL; uint32_t j; - if (client == NULL) { + if (client.entry == NULL) { code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto done; } - nt_status = samba_kdc_get_user_info_from_db(client, client->msg, &user_info_dc); + nt_status = samba_kdc_get_user_info_from_db(client.entry, + client.entry->msg, + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("Getting user info for PAC failed: %s\n", nt_errstr(nt_status)); @@ -2203,7 +2201,7 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, werr = samba_rodc_confirm_user_is_allowed(user_info_dc->num_sids, object_sids, krbtgt, - client); + client.entry); if (!W_ERROR_IS_OK(werr)) { code = KRB5KDC_ERR_TGT_REVOKED; if (W_ERROR_EQUAL(werr, @@ -2234,7 +2232,7 @@ krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, code = pac_blobs_from_krb5_pac(tmp_ctx, context, - pac, + client.pac, &pac_blobs); if (code != 0) { goto done; @@ -2297,9 +2295,7 @@ done: * @param device_pac_is_trusted Whether the device's PAC was issued by a trusted server, * as opposed to an RODC. * - * @param client The client samba kdc entry. - * - * @param client_krbtgt The krbtgt samba kdc entry that verified the client + * @param client The client samba kdc PAC entry. * * @param server_principal The server principal * @@ -2309,22 +2305,11 @@ done: * updating the constrained delegation PAC * buffer. * - * @param delegated_proxy The delegated proxy kdc entry. + * @param delegated_proxy The delegated proxy kdc PAC entry. * - * @param delegated_proxy_pac The PAC from the primary TGT (i.e., that of - * the delegating service) during a constrained - * delegation request. - * - * @param device The computer's samba kdc entry; used for compound + * @param device The computer's samba kdc PAC entry; used for compound * authentication. * - * @param device_krbtgt The krbtgt samba kdc entry that verified the device - * - * @param device_pac The PAC from the computer's TGT; used - * for compound authentication. - * - * @param old_pac The old PAC - * * @param new_pac The new already allocated PAC * * @return A Kerberos error code. If no PAC should be returned, the code will be @@ -2335,17 +2320,12 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, struct ldb_context *samdb, struct loadparm_context *lp_ctx, uint32_t flags, - const struct samba_kdc_entry *client_krbtgt, - struct samba_kdc_entry *client, + const struct samba_kdc_entry_pac client, const krb5_const_principal server_principal, const struct samba_kdc_entry *server, const krb5_const_principal delegated_proxy_principal, - struct samba_kdc_entry *delegated_proxy, - const krb5_const_pac delegated_proxy_pac, - const struct samba_kdc_entry *device_krbtgt, - struct samba_kdc_entry *device, - const krb5_const_pac device_pac, - const krb5_const_pac old_pac, + const struct samba_kdc_entry_pac delegated_proxy, + const struct samba_kdc_entry_pac device, krb5_pac new_pac, struct authn_audit_info **server_audit_info_out, NTSTATUS *status_out) @@ -2358,9 +2338,6 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *deleg_blob = NULL; DATA_BLOB *requester_sid_blob = NULL; const DATA_BLOB *client_claims_blob = NULL; - bool client_pac_is_trusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED; - bool device_pac_is_trusted = flags & SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED; - bool delegated_proxy_pac_is_trusted = flags & SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED; const DATA_BLOB *device_claims_blob = NULL; DATA_BLOB *device_info_blob = NULL; bool is_tgs = false; @@ -2404,16 +2381,16 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED; } - if (device != NULL && !is_tgs) { + if (device.entry != NULL && !is_tgs) { compounded_auth = SAMBA_COMPOUNDED_AUTH_INCLUDE; } else { compounded_auth = SAMBA_COMPOUNDED_AUTH_EXCLUDE; } - if (device != NULL && !is_tgs) { - SMB_ASSERT(device_pac != NULL); + if (device.entry != NULL && !is_tgs) { + SMB_ASSERT(device.pac != NULL); - if (device_pac_is_trusted) { + if (samba_krb5_pac_is_trusted(device)) { krb5_data device_claims_data; /* @@ -2421,14 +2398,14 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, * claims from the device PAC become the device claims * in the new PAC. */ - code = krb5_pac_get_buffer(context, device_pac, + code = krb5_pac_get_buffer(context, device.pac, PAC_TYPE_CLIENT_CLAIMS_INFO, &device_claims_data); if (code == ENOENT) { /* no-op */ } else if (code != 0) { goto done; - } else if (device_krbtgt->is_trust) { + } else if (samba_kdc_entry_pac_issued_by_trust(device)) { /* * TODO: we need claim translation over trusts, * for now we just clear them... @@ -2461,7 +2438,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, code = samba_kdc_create_device_info_blob(tmp_ctx, context, samdb, - device_pac, + device.pac, &device_info_blob); if (code != 0) { goto done; @@ -2469,7 +2446,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, } else { /* Don't trust RODC-issued claims. Regenerate them. */ nt_status = samba_kdc_get_claims_blob(tmp_ctx, - device, + device.entry, &device_claims_blob); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_claims_blob failed: %s\n", @@ -2480,7 +2457,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, /* Also regenerate device info. */ code = samba_kdc_get_device_info_blob(tmp_ctx, - device, + device.entry, &device_info_blob); if (code != 0) { goto done; @@ -2498,7 +2475,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, nt_status = samba_kdc_update_delegation_info_blob( deleg_blob, context, - old_pac, + client.pac, server_principal, delegated_proxy_principal, deleg_blob); @@ -2515,8 +2492,6 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, samdb, group_inclusion, client, - old_pac, - client_pac_is_trusted, &user_info_dc, &_resource_groups); if (code != 0) { @@ -2536,23 +2511,21 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, const struct samba_kdc_entry *auth_entry = NULL; struct auth_user_info_dc *auth_user_info_dc = NULL; - if (delegated_proxy != NULL) { - auth_entry = delegated_proxy; + if (delegated_proxy.entry != NULL) { + auth_entry = delegated_proxy.entry; code = samba_kdc_obtain_user_info_dc(tmp_ctx, context, samdb, AUTH_INCLUDE_RESOURCE_GROUPS, delegated_proxy, - delegated_proxy_pac, - delegated_proxy_pac_is_trusted, &auth_user_info_dc, NULL); if (code) { goto done; } } else { - auth_entry = client; + auth_entry = client.entry; auth_user_info_dc = user_info_dc; } @@ -2579,7 +2552,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, goto done; } - if (client_pac_is_trusted) { + if (samba_krb5_pac_is_trusted(client)) { pac_blob = talloc_zero(tmp_ctx, DATA_BLOB); if (pac_blob == NULL) { code = ENOMEM; @@ -2603,7 +2576,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, * TODO: we need claim translation over trusts, * for now we just clear them... */ - if (client_krbtgt->is_trust) { + if (samba_kdc_entry_pac_issued_by_trust(client)) { client_claims_blob = &data_blob_null; } } else { @@ -2640,7 +2613,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, /* Don't trust RODC-issued claims. Regenerate them. */ nt_status = samba_kdc_get_claims_blob(tmp_ctx, - client, + client.entry, &client_claims_blob); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_claims_blob failed: %s\n", @@ -2653,7 +2626,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, /* Check the types of the given PAC */ code = pac_blobs_from_krb5_pac(tmp_ctx, context, - old_pac, + client.pac, &pac_blobs); if (code != 0) { goto done; @@ -2725,7 +2698,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, goto done; } - if (!client_pac_is_trusted || !is_tgs) { + if (!samba_krb5_pac_is_trusted(client) || !is_tgs) { pac_blobs_remove_blob(pac_blobs, PAC_TYPE_ATTRIBUTES_INFO); } @@ -2758,7 +2731,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, goto done; } - if (client_pac_is_trusted && !is_tgs) { + if (samba_krb5_pac_is_trusted(client) && !is_tgs) { /* * The client may have requested no PAC when obtaining the * TGT. @@ -2766,7 +2739,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, bool requested_pac = false; code = samba_client_requested_pac(context, - old_pac, + client.pac, tmp_ctx, &requested_pac); if (code != 0 || !requested_pac) { @@ -2810,7 +2783,7 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, (type_data.data != NULL) ? &type_data : &null_data); } else { code = krb5_pac_get_buffer(context, - old_pac, + client.pac, type, &type_data); if (code != 0) { @@ -2842,9 +2815,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, krb5_context context, struct ldb_context *samdb, struct loadparm_context *lp_ctx, - struct samba_kdc_entry *device, - const krb5_const_pac device_pac, - const bool device_pac_is_trusted, + const struct samba_kdc_entry_pac device, const struct authn_kerberos_client_policy *client_policy, struct authn_audit_info **client_audit_info_out, NTSTATUS *status_out) @@ -2863,7 +2834,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, return 0; } - if (device == NULL || device_pac == NULL) { + if (device.entry == NULL || device.pac == NULL) { NTSTATUS out_status = NT_STATUS_INVALID_WORKSTATION; nt_status = authn_kerberos_client_policy_audit_info(mem_ctx, @@ -2891,7 +2862,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, frame = talloc_stackframe(); - if (device_pac_is_trusted) { + if (samba_krb5_pac_is_trusted(device)) { krb5_data device_logon_info; enum ndr_err_code ndr_err; @@ -2900,7 +2871,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, union PAC_INFO pac_logon_info; union netr_Validation validation; - code = krb5_pac_get_buffer(context, device_pac, + code = krb5_pac_get_buffer(context, device.pac, PAC_TYPE_LOGON_INFO, &device_logon_info); if (code != 0) { @@ -2955,7 +2926,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, } } else { nt_status = samba_kdc_get_user_info_dc(frame, - device, + device.entry, &device_info); if (!NT_STATUS_IS_OK(nt_status)) { DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n", diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 01d6290e428..b4592b4240a 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -52,9 +52,6 @@ enum samba_compounded_auth { enum { SAMBA_KDC_FLAG_PROTOCOL_TRANSITION = 0x00000001, SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002, - SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED = 0x00000008, - SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED = 0x00000020, - SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED = 0x00000040, }; bool samba_kdc_entry_is_trust(const struct samba_kdc_entry *entry); @@ -128,9 +125,8 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry, krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx, krb5_context context, uint32_t flags, - struct samba_kdc_entry *client, - const struct samba_kdc_entry *krbtgt, - krb5_const_pac pac); + const struct samba_kdc_entry_pac client, + const struct samba_kdc_entry *krbtgt); struct authn_audit_info; krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, @@ -138,17 +134,12 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, struct ldb_context *samdb, struct loadparm_context *lp_ctx, uint32_t flags, - const struct samba_kdc_entry *client_krbtgt, - struct samba_kdc_entry *client, + const struct samba_kdc_entry_pac client, const krb5_const_principal server_principal, const struct samba_kdc_entry *server, const krb5_const_principal delegated_proxy_principal, - struct samba_kdc_entry *delegated_proxy, - const krb5_const_pac delegated_proxy_pac, - const struct samba_kdc_entry *device_krbtgt, - struct samba_kdc_entry *device, - const krb5_const_pac device_pac, - const krb5_const_pac old_pac, + const struct samba_kdc_entry_pac delegated_proxy, + const struct samba_kdc_entry_pac device, krb5_pac new_pac, struct authn_audit_info **server_audit_info_out, NTSTATUS *status_out); @@ -186,9 +177,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx, krb5_context context, struct ldb_context *samdb, struct loadparm_context *lp_ctx, - struct samba_kdc_entry *device, - krb5_const_pac device_pac, - bool device_pac_is_trusted, + const struct samba_kdc_entry_pac device, const struct authn_kerberos_client_policy *client_policy, struct authn_audit_info **client_audit_info_out, NTSTATUS *status_out); diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index d78f3fa0ba3..82b638ed7be 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -277,6 +277,7 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r, struct samba_kdc_entry *client_skdc_entry = NULL; struct samba_kdc_entry *krbtgt_skdc_entry = talloc_get_type_abort(krbtgt->context, struct samba_kdc_entry); + struct samba_kdc_entry_pac client_pac_entry = {}; TALLOC_CTX *mem_ctx = NULL; krb5_error_code ret; bool is_s4u2self = samba_wdc_is_s4u2self_req(r); @@ -284,6 +285,10 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r, bool is_trusted = false; uint32_t flags = 0; + if (pac == NULL) { + return EINVAL; + } + mem_ctx = talloc_named(NULL, 0, "samba_wdc_verify_pac2 context"); if (mem_ctx == NULL) { return ENOMEM; @@ -308,6 +313,11 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r, goto out; } + krb5_pac_set_trusted(pac, is_trusted); + client_pac_entry = samba_kdc_entry_pac(pac, + client_skdc_entry, + samba_kdc_entry_is_trust(krbtgt_skdc_entry)); + if (is_s4u2self) { flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION; } @@ -359,16 +369,11 @@ static krb5_error_code samba_wdc_verify_pac2(astgs_request_t r, flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION; } - if (is_trusted) { - flags |= SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED; - } - ret = samba_kdc_verify_pac(mem_ctx, context, flags, - client_skdc_entry, - krbtgt_skdc_entry, - pac); + client_pac_entry, + krbtgt_skdc_entry); if (ret != 0) { goto out; } @@ -394,18 +399,16 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, krb5_pac *pac) { krb5_context context = kdc_request_get_context((kdc_request_t)r); - const hdb_entry *device = kdc_request_get_explicit_armor_client(r); - const krb5_const_pac device_pac = kdc_request_get_explicit_armor_pac(r); struct samba_kdc_entry *delegated_proxy_skdc_entry = NULL; krb5_const_principal delegated_proxy_principal = NULL; + struct samba_kdc_entry_pac delegated_proxy_pac_entry = {}; struct samba_kdc_entry *client_skdc_entry = NULL; - struct samba_kdc_entry *device_skdc_entry = NULL; + struct samba_kdc_entry_pac client_pac_entry = {}; + struct samba_kdc_entry_pac device = {}; const struct samba_kdc_entry *server_skdc_entry = talloc_get_type_abort(server->context, struct samba_kdc_entry); const struct samba_kdc_entry *krbtgt_skdc_entry = talloc_get_type_abort(krbtgt->context, struct samba_kdc_entry); - const struct samba_kdc_entry *client_krbtgt_skdc_entry = krbtgt_skdc_entry; - const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL; TALLOC_CTX *mem_ctx = NULL; krb5_pac new_pac = NULL; struct authn_audit_info *server_audit_info = NULL; @@ -413,6 +416,10 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, NTSTATUS reply_status = NT_STATUS_OK; uint32_t flags = 0; + if (pac == NULL) { + return EINVAL; + } + mem_ctx = talloc_named(NULL, 0, "samba_wdc_reget_pac context"); if (mem_ctx == NULL) { return ENOMEM; @@ -424,21 +431,21 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, delegated_proxy_principal = delegated_proxy->principal; } + delegated_proxy_pac_entry = samba_kdc_entry_pac(delegated_proxy_pac, + delegated_proxy_skdc_entry, + /* The S4U2Proxy + * evidence ticket could + * not have been signed + * or issued by a krbtgt + * trust account. */ + false /* is_from_trust */); + if (client != NULL) { client_skdc_entry = talloc_get_type_abort(client->context, struct samba_kdc_entry); } - if (device != NULL) { - const hdb_entry *device_krbtgt = NULL; - - device_skdc_entry = talloc_get_type_abort(device->context, - struct samba_kdc_entry); - - device_krbtgt = kdc_request_get_explicit_armor_server(r); - device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context, - struct samba_kdc_entry); - } + device = samba_kdc_get_device_pac(r); ret = krb5_pac_init(context, &new_pac); if (ret != 0) { @@ -446,32 +453,21 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, goto out; } - if (krb5_pac_is_trusted(*pac)) { - flags |= SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED; - } - if (device_pac != NULL && krb5_pac_is_trusted(device_pac)) { - flags |= SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED; - } - if (delegated_proxy_pac != NULL && krb5_pac_is_trusted(delegated_proxy_pac)) { - flags |= SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED; - } + client_pac_entry = samba_kdc_entry_pac(*pac, + client_skdc_entry, + samba_kdc_entry_is_trust(krbtgt_skdc_entry)); ret = samba_kdc_update_pac(mem_ctx, context, krbtgt_skdc_entry->kdc_db_ctx->samdb, krbtgt_skdc_entry->kdc_db_ctx->lp_ctx, flags, - client_krbtgt_skdc_entry, - client_skdc_entry, + client_pac_entry, server->principal, server_skdc_entry, delegated_proxy_principal, - delegated_proxy_skdc_entry, - delegated_proxy_pac, - device_krbtgt_skdc_entry, - device_skdc_entry, - device_pac, - *pac, + delegated_proxy_pac_entry, + device, new_pac, &server_audit_info, &reply_status); @@ -700,16 +696,13 @@ static krb5_error_code samba_wdc_check_client_access(void *priv, TALLOC_CTX *tmp_ctx = NULL; const hdb_entry *client = NULL; struct samba_kdc_entry *kdc_entry; - const hdb_entry *device = kdc_request_get_armor_client(r); - struct samba_kdc_entry *device_skdc_entry = NULL; - const krb5_const_pac device_pac = kdc_request_get_armor_pac(r); + struct samba_kdc_entry_pac device = {}; struct authn_audit_info *client_audit_info = NULL; bool password_change; char *workstation; NTSTATUS nt_status; NTSTATUS check_device_status = NT_STATUS_OK; krb5_error_code ret = 0; - bool device_pac_is_trusted = false; client = kdc_request_get_client(r); @@ -720,22 +713,13 @@ static krb5_error_code samba_wdc_check_client_access(void *priv, kdc_entry = talloc_get_type_abort(client->context, struct samba_kdc_entry); - if (device != NULL) { - device_skdc_entry = talloc_get_type_abort(device->context, - struct samba_kdc_entry); - } - - if (device_pac != NULL) { - device_pac_is_trusted = krb5_pac_is_trusted(device_pac); - } + device = samba_kdc_get_device_pac(r); ret = samba_kdc_check_device(tmp_ctx, context, kdc_entry->kdc_db_ctx->samdb, kdc_entry->kdc_db_ctx->lp_ctx, - device_skdc_entry, - device_pac, - device_pac_is_trusted, + device, kdc_entry->client_policy, &client_audit_info, &check_device_status);