From: Joseph Sutton Date: Tue, 10 Oct 2023 02:40:13 +0000 (+1300) Subject: s4:kdc: Use device info to evaluate RBCD conditions X-Git-Tag: tevent-0.16.0~82 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f7064f6fd26e2ee302141fec77c3b98ad4c236ae;p=thirdparty%2Fsamba.git s4:kdc: Use device info to evaluate RBCD conditions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 48151c582d6..33b758f7490 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -333,6 +333,7 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL; struct samba_kdc_entry *proxy_skdc_entry = NULL; const struct auth_user_info_dc *client_info = NULL; + const struct auth_user_info_dc *device_info = NULL; struct samba_kdc_entry_pac client_pac_entry = {}; TALLOC_CTX *mem_ctx = NULL; krb5_error_code code; @@ -365,12 +366,40 @@ hdb_samba4_check_rbcd(krb5_context context, HDB *db, goto out; } + if (device != NULL) { + struct samba_kdc_entry *device_skdc_entry = NULL; + const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL; + struct samba_kdc_entry_pac device_pac_entry = {}; + + device_skdc_entry = talloc_get_type_abort(device->context, + struct samba_kdc_entry); + + if (device_krbtgt != NULL) { + device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context, + struct samba_kdc_entry); + } + + device_pac_entry = samba_kdc_entry_pac(device_pac, + device_skdc_entry, + samba_kdc_entry_is_trust(device_krbtgt_skdc_entry)); + + code = samba_kdc_get_user_info_dc(mem_ctx, + context, + kdc_db_ctx->samdb, + device_pac_entry, + &device_info, + NULL /* resource_groups_out */); + if (code) { + goto out; + } + } + code = samba_kdc_check_s4u2proxy_rbcd(context, kdc_db_ctx, client->principal, server_principal, client_info, - NULL /* device_info_dc */, + device_info, (struct auth_claims) {}, proxy_skdc_entry); out: