From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 22 Jun 2023 07:08:53 +0000 (+0200)
Subject: s4:kdc: clear client and device claims from trusts
X-Git-Tag: talloc-2.4.1~176
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fcea53584deadd41ecd5ce47402eee36168bbc24;p=thirdparty%2Fsamba.git

s4:kdc: clear client and device claims from trusts

As we don't support the Claims Transformation Algorithm [MS-CTA]
we better clear claims as they have no valid meaning in our domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 168b3a4d246..bd7c3ce634d 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -2421,6 +2421,12 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 				/* no-op */
 			} else if (code != 0) {
 				goto done;
+			} else if (device_krbtgt->is_trust) {
+				/*
+				 * TODO: we need claim translation over trusts,
+				 * for now we just clear them...
+				 */
+				device_claims_blob = &data_blob_null;
 			} else {
 				DATA_BLOB *device_claims = NULL;
 
@@ -2588,6 +2594,14 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
 			code = EINVAL;
 			goto done;
 		}
+
+		/*
+		 * TODO: we need claim translation over trusts,
+		 * for now we just clear them...
+		 */
+		if (client_krbtgt->is_trust) {
+			client_claims_blob = &data_blob_null;
+		}
 	} else {
 		nt_status = samba_kdc_get_logon_info_blob(mem_ctx,
 						       user_info_dc,