From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 27 Sep 2023 03:23:33 +0000 (+1300)
Subject: s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID
X-Git-Tag: tevent-0.16.0~272
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cfeb3d75cb39966b5809dc9eea91385a4a5788e0;p=thirdparty%2Fsamba.git

s4:kdc: Have callers of samba_kdc_get_user_info_dc() themselves add the Claims Valid SID

samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.

By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 9b2483f5f2a..71560b298fc 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -487,7 +487,7 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 	nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
 					       skdc_entry,
 					       asserted_identity,
-					       SAMBA_CLAIMS_VALID_INCLUDE,
+					       SAMBA_CLAIMS_VALID_EXCLUDE,
 					       &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
@@ -498,6 +498,15 @@ krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
 		return EINVAL;
 	}
 
+	nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+					       user_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add Claims Valid: %s\n",
+			nt_errstr(nt_status));
+		talloc_free(tmp_ctx);
+		return EINVAL;
+	}
+
 	nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
 						  user_info_dc,
 						  group_inclusion,
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index bde24550265..645c0039c52 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2027,7 +2027,7 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
 	nt_status = samba_kdc_get_user_info_dc(frame,
 					       device,
 					       SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-					       SAMBA_CLAIMS_VALID_INCLUDE,
+					       SAMBA_CLAIMS_VALID_EXCLUDE,
 					       &device_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -2036,6 +2036,15 @@ static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
 		return KRB5KDC_ERR_TGT_REVOKED;
 	}
 
+	nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+					       device_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add Claims Valid: %s\n",
+			nt_errstr(nt_status));
+		talloc_free(frame);
+		return KRB5KDC_ERR_TGT_REVOKED;
+	}
+
 	nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info_dc,
 						       AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED,
 						       &info3,
@@ -2927,7 +2936,7 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 		nt_status = samba_kdc_get_user_info_dc(frame,
 						       device,
 						       SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
-						       SAMBA_CLAIMS_VALID_INCLUDE,
+						       SAMBA_CLAIMS_VALID_EXCLUDE,
 						       &device_info);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
@@ -2936,6 +2945,16 @@ krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
 			code = KRB5KDC_ERR_TGT_REVOKED;
 			goto out;
 		}
+
+		nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+						       device_info);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DBG_ERR("Failed to add Claims Valid: %s\n",
+				nt_errstr(nt_status));
+
+			code = KRB5KDC_ERR_TGT_REVOKED;
+			goto out;
+		}
 	}
 
 	nt_status = authn_policy_authenticate_from_device(frame,
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 41fd32a852c..c9e1d3fdb89 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -126,13 +126,22 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 	nt_status = samba_kdc_get_user_info_dc(mem_ctx,
 					       skdc_entry,
 					       asserted_identity,
-					       SAMBA_CLAIMS_VALID_INCLUDE,
+					       SAMBA_CLAIMS_VALID_EXCLUDE,
 					       &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(mem_ctx);
 		return map_errno_from_nt_status(nt_status);
 	}
 
+	nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
+					       user_info_dc);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DBG_ERR("Failed to add Claims Valid: %s\n",
+			nt_errstr(nt_status));
+		talloc_free(mem_ctx);
+		return map_errno_from_nt_status(nt_status);
+	}
+
 	/*
 	 * For an S4U2Self request, the authentication policy is not enforced.
 	 */