From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 25 Oct 2023 01:56:41 +0000 (+1300)
Subject: s4:kdc: Add device to default groups for RBCD conditions evaluation
X-Git-Tag: talloc-2.4.2~1085
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f48afb2ba71595d49c444a36453b1ef1f5bbb340;p=thirdparty%2Fsamba.git

s4:kdc: Add device to default groups for RBCD conditions evaluation

This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.

It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.

Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 55503dc86bc..e51698a2a78 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -133,6 +133,6 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_delegating_proxy_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_authenticated_users_rbcd\(ad_dc\)$
-^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_world_group_rbcd\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
 ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 90be0434c36..b8629212e6a 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3413,6 +3413,7 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
 	struct security_token *security_token = NULL;
 	uint32_t session_info_flags =
 		AUTH_SESSION_INFO_DEFAULT_GROUPS |
+		AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS |
 		AUTH_SESSION_INFO_SIMPLE_PRIVILEGES |
 		AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION;
 	/*